Vidar spyware is now hidden in Microsoft help files
Vidar malware has been detected in a new phishing campaign that abuses Microsoft’s HTML help files.
Thusday, Trustwave Cybersecurity researcher Diana Lopera said the spyware was concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in spam email campaigns.
Vidar is Windows spyware and information stealer available for purchase by cyber criminals. Vidar may collect operating system and user data, online service and cryptocurrency account IDs, and credit card information.
Although often deployed via spam and phishing campaigns, researchers have also spotted the C++ malware being distributed via the PrivateLoader pay-per-install dropper and Fallout exploit kit.
According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc”, which is actually an .iso disk image.
The .iso file contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).
The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format can contain text, images, tables, and links, when used legitimately.
However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.
Vidar samples obtained by the team connect to their command and control (C2) server through Mastodon, a cross-platform open-source social networking system. Specific profiles are searched and C2 addresses are extracted from the bio sections of the user profile.
This allows the malware to configure its configuration and get to work harvesting user data. Additionally, Vidar has been observed downloading and executing other malware payloads.
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0
Comments are closed.