Vidar Malware Conceals within Microsoft Help Files

Researchers from Trustwave cybersecurity unit discovered a phishing campaign by Vidar malware is being concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in email spam campaigns and more sophisticated in by nature  

The email contains a generic subject line and an attachment, “request.doc,” which is a .iso disk image that contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable file.

The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format may hold text, images, tables, and links when used legitimately.

If it’s exploited by an attacker, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.

When a malicious CHM file is unpacked, a JavaScript snippet will silently run app.exe, and while both files must be in the same directory, this can trigger the execution of the Vidar payload.

The Vidar samples obtained will get transferred to their C&C server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are grabbed from user profile bio sections.

This allows the malware to set up its configuration and get to work harvesting user data. Also, in few cases Vidar was observed downloading and executing further malware payloads.

Glimpses of Vidar

Vidar is windows spyware and an information stealer initially found in 2018 is available for purchase by cybercriminals. Vidar can harvest OS & user data, online service and cryptocurrency account credentials, and credit card information.

While often deployed through spam and phishing campaigns, researchers have also spotted the C++ malware being distributed through the pay-per-install Private Loader dropper, and the Fallout exploit kit.