File directory

Vidar spyware is now hidden in Microsoft help files

By Albert E. Darnell

Vidar malware has been detected in a new phishing campaign that abuses Microsoft’s HTML help files.

ZDNet recommends

The best security key

While strong passwords help secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read more

Thusday, Trustwave Cybersecurity researcher Diana Lopera said the spyware was concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in spam email campaigns.

Vidar is Windows spyware and information stealer available for purchase by cyber criminals. Vidar may collect operating system and user data, online service and cryptocurrency account IDs, and credit card information.

Although often deployed via spam and phishing campaigns, researchers have also spotted the C++ malware being distributed via the PrivateLoader pay-per-install dropper and Fallout exploit kit.

According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc”, which is actually an .iso disk image.

screenshot-2022-03-23-at-10-20-00.png

Trustwave

The .iso file contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).

The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format can contain text, images, tables, and links, when used legitimately.

However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.

When a malicious CHM file is unzipped, a snippet of JavaScript code silently executes app.exe, and although the two files must be in the same directory, this may trigger the execution of the Vidar payload.

Vidar samples obtained by the team connect to their command and control (C2) server through Mastodon, a cross-platform open-source social networking system. Specific profiles are searched and C2 addresses are extracted from the bio sections of the user profile.

This allows the malware to configure its configuration and get to work harvesting user data. Additionally, Vidar has been observed downloading and executing other malware payloads.

See also

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Related posts:

  1. How to display disk usage in Linux with the du command
  2. What is Kali Undercover? How to install it on Linux
  3. US, UK and Australia release joint cybersecurity advisory on the 30 most exploited vulnerabilities in 2020 and 2021
  4. How to install mods in Friday Night Funkin ‘
Albert E. Darnell
You might also like More from author

Comments are closed.