Vidar spyware is now hidden in Microsoft help files

Vidar spyware is now hidden in Microsoft help files

Trending 8 months ago 74

Vidar malware has been detected successful a caller phishing run that abuses Microsoft HTML assistance files. 

On Thursday, Trustwave cybersecurity researcher Diana Lopera said the spyware is being concealed successful Microsoft Compiled HTML Help (CHM) files to debar detection successful email spam campaigns. 

Vidar is Windows spyware and an accusation stealer disposable for acquisition by cybercriminals. Vidar tin harvest OS & idiosyncratic data, online work and cryptocurrency relationship credentials, and recognition paper information.

While often deployed done spam and phishing campaigns, researchers person besides spotted the C++ malware being distributed done the pay-per-install PrivateLoader dropper and the Fallout exploit kit. 

According to Trustwave, the email run distributing Vidar is acold from sophisticated. The email contains a generic taxable enactment and an attachment, "request.doc," which is really a .iso disk image.

screenshot-2022-03-23-at-10-20-00.png Trustwave

The .iso contains 2 files: a Microsoft Compiled HTML Help (CHM) record (pss10r.chm) and an executable (app.exe). 

The CHM format is simply a Microsoft online hold record for accessing documentation and assistance files, and the compressed HTML format whitethorn clasp text, images, tables, and links -- erstwhile utilized legitimately. 

However, erstwhile attackers exploit CHM, they tin usage the format to unit Microsoft Help Viewer (hh.exe) to load CHM objects. 

When a malicious CHM record is unpacked, a JavaScript snippet volition silently tally app.exe, and portion some files person to beryllium successful the aforesaid directory, this tin trigger the execution of the Vidar payload. 

The Vidar samples obtained by the squad link to their command-and-control (C2) server via Mastodon, a multi-platform unfastened root societal networking system. Specific profiles are searched and C2 addresses are grabbed from idiosyncratic illustration bio sections. 

This allows the malware to acceptable up its configuration and get to enactment harvesting idiosyncratic data. In addition, Vidar was observed downloading and executing further malware payloads. 

Previous and related sum

Have a tip? Get successful interaction securely via WhatsApp | Signal astatine +447713 025 499, oregon implicit astatine Keybase: charlie0

style="display:block" data-ad-client="ca-pub-6050020371266145" data-ad-slot="7414032534" data-ad-format="auto" data-full-width-responsive="true">