Vidar spyware is now hidden in Microsoft help files

By Scott Marlette Last updated Mar 25, 2022

A new cybercrime campaign has been discovered that abuses Microsoft HTML help files to distribute the Vidar malware.

Cybersecurity researchers from Trustwave reported of a threat actor distributing Vidar through an email spam campaign. In it, the attackers would send a relatively generic-looking email, with the attachment file “request.doc”.

That file is not a .doc file, but instead, an .iso disk image, carrying two separate files: a Microsoft Compiled HTML Help file (CHM), often titled pss10r.chm, and an executable file, titled app.exe.

The unpacked CHM file triggers a JavaScript snippet which quietly runs the app.exe file. That way, the Vidar malware is loaded onto the target endpoint.

Vidar is described as a Windows spyware and an infostealer, capable of harvesting both user data, and the data on the operating system. It is capable of pulling out cryptocurrency account credentials, as well as payment data, such as credit card details.

The .CHM file format is a Microsoft online extension file, used to access help files. The compressed HTML format allows for the distribution of images, tables and links. But the format can also be abused to load weaponized CHM objects.

In this particular case, the Vidar spyware connects to the command and control (C2) server via Mastodon.

According to business software and services provider Entersoft, Vidar was introduced in December 2018, and is allegedly of Russian origin. The conclusion that the Russians built Vidar was drawn from the fact that the malware stops working if it realizes that it’s operating on an endpoint from an ex-USSR country, or that the keyboard has a Russian layout.

The malware is named after the God of Vengance from Norse mythology – known as Víðarr. It seems to be a variant of the Arkei malware.

As usual, the best way to protect against malware such as this one is to be extra careful when downloading attachments from emails, or clicking on links received in emails from unknown, or unexpected senders.

Via: ZDNet

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.