Vidar spyware is now hidden in Microsoft help files

Vidar malware has been detected in a new phishing campaign that abuses Microsoft’s HTML help files.

ZDNet recommends

The best security key

While strong passwords help secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read more

Thusday, Trustwave Cybersecurity researcher Diana Lopera said the spyware was concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in spam email campaigns.

Vidar is Windows spyware and information stealer available for purchase by cyber criminals. Vidar may collect operating system and user data, online service and cryptocurrency account IDs, and credit card information.

Although often deployed via spam and phishing campaigns, researchers have also spotted the C++ malware being distributed via the PrivateLoader pay-per-install dropper and Fallout exploit kit.

According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc”, which is actually an .iso disk image.



The .iso file contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).

The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format can contain text, images, tables, and links, when used legitimately.

However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.

When a malicious CHM file is unzipped, a snippet of JavaScript code silently executes app.exe, and although the two files must be in the same directory, this may trigger the execution of the Vidar payload.

Vidar samples obtained by the team connect to their command and control (C2) server through Mastodon, a cross-platform open-source social networking system. Specific profiles are searched and C2 addresses are extracted from the bio sections of the user profile.

This allows the malware to configure its configuration and get to work harvesting user data. Additionally, Vidar has been observed downloading and executing other malware payloads.

See also

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Comments are closed.