Researchers detect Vidar spyware hidden in Microsoft help files

Posted on March 25, 2022 at 8:05 AM

Researchers detect Vidar spyware hidden in Microsoft help files

Phishing campaigns do not seem to be reducing, as attackers find new ways to launch their attacks. A recent report noted that the Vidar malware is now present in Microsoft HTML help files.

The malware is stealthily conducting a new phishing campaign. The campaign is geared towards stealing sensitive information from user devices.

Vidar spyware on Microsoft help files

A report from Diana Lopera, a cybersecurity researcher with Trustwave, stated that attackers were hiding the malware in Microsoft Compiled HTML Help (CHM) files to avoid it from being detected. Usually, this malware is detected in email spam campaigns.

Vidar is one of the most popular malware among cybercriminals. The malware has been used for a wide range of attacks, with the most popular being to steal personal information and spy on user devices. The malware is easily accessed by cybercriminals on the dark web.

The Vidar malware works by harvesting the OS and user data. It also compromises online services, and it can also access sensitive information such as the credentials of a cryptocurrency exchange account and a credit card.

In most cases, the Vidar malware is deployed to user devices through spam and phishing campaigns. However, this is now changing, with cybersecurity researchers not saying that the malware is being deployed using the pay-per-install PrivateLoader dropper and the Fallout exploit kit. The C++ malware is now finding its way into other systems, increasing its distribution and making internet users more prone to the exploitation of the malware.

The report from the Trustwave researcher noted that the email campaign is used to deploy the Vidar malware is running a high level of sophistication. The email contains a generic subject line and attachment. It features a “request.doc”, which usually operates like a .iso disk image.

“In this campaign, the ISO attachment holds two files – a Microsoft Compiled HTML Help (CHM) file “pss10r.chm” and an executable “app.exe.” Once the attacker tricks the recipient into extracting the contents of ‘request.doc’ and then executes either one, the system can be compromised,” the researcher said.

The CHM Format is an online extension file on Microsoft. The file can be used to access documents and provide help to files. The compressed HTML format can also contain images, texts, tables and links. These can then be used legitimately.

However, cybercriminals are now going around how this system works. They exploit CHM to use the format to compel Microsoft Help Viewer (hh.exe) to load CHM objects. When the attackers use this format, it will force Microsoft Help Viewer to execute the malicious objects, and this is how the attackers launch their spyware campaign.

When a malicious CGM file has been unpacked, a JavaScript snippet will execute app.exe. The two files need to be in the same directory for the execution to happen. This will automatically execute the Vidar payload.  

“The appended HTA has some JavaScript that silently runs ‘app.exe’, the second file inside the ISO attachment. Note that for this loader to work, the executable must be extracted to the same directory as the CHM file,” the report added.

The researchers collected Vidar samples detected on user devices. They found that the samples connected to the command-and-control (C2) server through Mastodon. The latter is a multi-platform social networking system that is open source. Specific profiles will be searched on this platform, and C2 addresses will be obtained from the bio section of these user profiles.

Once this is done, it will allow the malware to create its configuration and start working. Its work involves harvesting personal user data. Other studies have shown that the Vidar malware is also being used to download and execute additional malware payloads.

Phishing campaigns

Phishing campaigns have become increasingly popular over the past year. In 2020, a large shift towards working from home structures was witnessed. A boom of online shopping and ecommerce also led to many people linking their credit cards online, presenting a new opportunity for attackers to steal sensitive information.

Phishing campaigns usually require an action on the user’s side, such as opening an email or opening a link. However, spyware is more sophisticated, as it can get access to user information despite the user not knowing.

The increased threat to online users has created a need to boost cybersecurity systems. One of the ways to do this is setting up advanced protection measures, especially for businesses entities. This can help detect malware or spyware on user devices. Best internet practices include setting up strong passwords.

Researchers detect Vidar spyware hidden in Microsoft help files
Article Name
Researchers detect Vidar spyware hidden in Microsoft help files
A Trustwave researcher has unveiled spyware on Microsoft help files. The spyware is harvesting user information such as credit card details. The malware avoided detection by hiding on Microsoft Compiled Help (CHM) files.
Publisher Name
Publisher Logo

Share this:

Related Stories:


Get the latest stories straight
into your inbox!


Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading