Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 988985" data-attributes="member: 32260">SWH vs. CHM attack vector[URL unfurl=&quot;false&quot;]https://malwaretips.com/threads/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware.113839/[/URL]Compromising the security layers via &quot;.chm&quot; files is a well known and still very efficient method. I saw several such attacks in the past, for example:Cryptowall: <a href="https://www.bitdefender.com/blog/hotforsecurity/cryptowall-makes-a-comeback-via-malicious-help-files-chm" target="_blank">Cryptowall Makes a Comeback Via Malicious Help Files (CHM)</a>Silence banking trojan: <a href="https://securelist.com/the-silence/83009/" target="_blank">Silence – a new Trojan attacking financial organizations</a>LovxCrypt Ransomware: <a href="https://blogs.blackberry.com/en/2017/04/threat-spotlight-lovxcrypt-ransomware" target="_blank">Threat Spotlight: LovxCrypt Ransomware</a>RURansom Wiper: [URL unfurl=&quot;false&quot;]https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/[/URL]APT41 espionage: <a href="https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation" target="_blank">https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation</a>The common infection chain:Email attachment -----&gt; user downloads an attachment -----&gt; user opens the .chm file -----&gt; payload is dropped/downloaded and executedSWH blocks opening .chm files by default via SRP restrictions.The .chm file is opened by the hh.exe LOLBin (HTML Help), which is also a JavaScript interpreter. So, the attacker can embed the JavaScript malicious code into the .chm file.In the past, the .chm files were often used to download and execute PE payloads, but they can be easily used also in fileless attacks like in the example of recent attacks on German users.</blockquote>

[QUOTE="Andy Ful, post: 988985, member: 32260"] [B][SIZE=5]SWH vs. CHM attack vector[/SIZE][/B] [URL unfurl="false"]https://malwaretips.com/threads/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware.113839/[/URL] Compromising the security layers via ".chm" files is a well known and still very efficient method. I saw several such attacks in the past, for example: [I]Cryptowall[/I]: [URL='https://www.bitdefender.com/blog/hotforsecurity/cryptowall-makes-a-comeback-via-malicious-help-files-chm']Cryptowall Makes a Comeback Via Malicious Help Files (CHM)[/URL] [I]Silence banking trojan[/I]: [URL='https://securelist.com/the-silence/83009/']Silence – a new Trojan attacking financial organizations[/URL] [I]LovxCrypt Ransomware[/I]: [URL='https://blogs.blackberry.com/en/2017/04/threat-spotlight-lovxcrypt-ransomware']Threat Spotlight: LovxCrypt Ransomware[/URL] [I]RURansom Wiper: [/I][URL unfurl="false"]https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/[/URL] [I]APT41 espionage[/I]: [URL]https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation[/URL] [B]The common infection chain:[/B] [COLOR=rgb(0, 168, 133)][B]Email attachment -----> user downloads an attachmen[/B]t[/COLOR] -----> [COLOR=rgb(184, 49, 47)][B]user opens the .chm file -----> payload is dropped/downloaded and executed[/B][/COLOR] SWH blocks opening .chm files by default via SRP restrictions. The .chm file is opened by the [B]hh.exe[/B] LOLBin (HTML Help), which is also a JavaScript interpreter. So, the attacker can embed the JavaScript malicious code into the .chm file. In the past, the .chm files were often used to download and execute PE payloads, but they can be easily used also in fileless attacks like in the example of recent attacks on German users. [/QUOTE]

Verification