Attackers are hiding malware in a boring area, hoping victims will not look.
Where is the last place you would expect to find malware? Embedded in software you trust & use every day (actually, that’s probably the 1st place you should look)? What about in a technical documentation file?
In a report published Thur., Trustwave Spider Labs revealed a new phishing attack designed to plant the Vidar info stealer on target machines.
Complex Malware
The method to this particular campaign is that it hides its complex malware behind a Microsoft Compiled HTML Help (.CHM) file, Microsoft’s file format for help documentation saved in HTML. It is the type of file you almost never look at, or even think about.
What better place to hide something interesting than within something boring? That is just what cyber-attackers have done in a recent series of data-stealing attacks: use .CHM files in an attack that prioritises obfuscation.
Latest Phish
Some threat players will use a large amount of effort to diligently craft a perfect phishing email. They copy a well-known brand’s graphics, & compose a perfect message conveying legitimacy & professionalism, but also urgency.
If the attackers spent any more than 3 minutes crafting their phishing email, it does not show.
The subject line – “Re: Not read: Coverage Inquiry 3.24.16” – goes some way to implying that an ongoing discussion is occurring (“Re”), & that the recipient must act (“Not read”) & is otherwise vague enough to not create immediate suspicion. The body of the email does even less:
The important information for you. See the attachment to the email.
Thank You!
request.doc
The attachment appears to the recipient as “request.doc,” but is, in fact, an .ISO file, Trustwave noted in its analysis. ISOs are used to copy the information on physical optical discs into a single file.
However, as the report says, hackers have learned how to re-purpose ISO files as malware containers. States Trustwave, there was a “notable uptick” in this strategy beginning in 2019. Vidar itself started gaining popularity about the same time.
Vidar Malware
Vidar is a kind of jack-of-all-trades info stealer, derived from the Arkei malware family. As explained previously, just after it was 1st discovered:
Vidar steals documents, cookies & browser histories (including from Tor), currency from a wide array of cryptocurrency wallets, data from 2-factor authentication software & text messages, plus it can take screenshots.
The package also offers malware operators Telegram notifications for important logs. Lastly, threat players can customise the stealer via profiles, which lets them specify the kind of data in which they are interested.
JavaScript
In this latest campaign, the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code is a portion of HTML application (HTA) code containing JavaScript that secretly triggers a 2nd file, “app.exe.” This is really Vidar malware.
“One of the objects unpacked from the .CHM is the HTML file ‘PSSXMicrosoftSupportServices_HP05221271.htm’ — the primary object that gets loaded when the CHM pss10r.chm is opened,” according to the Trustwave report. “This HTML has a button object which automatically triggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for executing HTA files.
Mastodon
When app.exe triggers, Vidar downloads its dependencies & configuration settings from a command-&-control (C2) server, which is retrieved from Mastodon, an open-source social networking platform. The malware then searches 2 hard-coded profiles & seizes the C2 address from the Bio section.
Then, Vidar starts stealing. Any information it picks up gets sent back to the C2. Vidar can also download additional malware to the target machine. The malware covers its tracks by deleting all the files it is created.
Deceit
This approach & the use of unassuming Help files is all in the name of deceit.
“We’ve seen this technique used quite a bit recently,” Karl Sigler, Senior Security Research Manager at Trustwave Spider Labs, explained, “& the various attempts at nesting the attack (from .ISO to .CHM to .HTA to JavaScript to execution) shows the lengths that these actors are going to try to obfuscate & hide their attack.”
He concluded. “This TTP is really popular right now.”
