CHM Help Files Deliver Brazilian Banking Trojan

CHM Help files have been used for over a decade to sneak malicious downloader code into files to make them harder to find. CHMs (Compiled HTML) are a Microsoft online help file that comprises of a collection of HTML pages compiled into a single compressed file format.

Security researchers at Trustwave have issued recent warnings about a new spam campaign that targets Brazilian institutions with emails that contain Compiled HTML file attachments in order to deliver a banking Trojan.

The malicious CHM attachment is called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave.

He added that the attack comprises of “multiple stages of malware infection originating from an email with a trojanized CHM attachment”. As soon as the user opens the CMH, it executes a PowerShell command, which downloads the next stage of the PowerShell script. A scheduled task is then created in order to gain persistence so that when the user next logs in, the malware runs.

The attack sequence comprises of three scheduled tasks. The first is to run the malware on the user logging in. The second is making the targeted system reboot via a malicious PowerShell script. Finally, the Server.bin is executed; this loads the file CRYPTUI.DLL, which can then download new payloads.

“When the DLL is loaded (CRYPTUI.DLL), it spawns and injects its malicious code to a new process named iexpress.exe. It then obtains system information such username and computer name and reports back to its control server,” the researcher said.

The use of multiple stages of infection is a typical way for attackers to avoid detection. Trustwave found that only eight out of sixty AV scanners identified the CHM file attachments as malicious more than a month after it discovered this sample.

CHM files can run JavaScript, which the attackers employ to redirect victims to external URLs. CHM files have been similarly exploited in other recent attacks on financial organizations, including by the Silence group operating in Russia, Malaysia and Armenia, whose activities were uncovered by researchers at Kaspersky Lab. KL published a report on them in November.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed,” Kaspersky Lab said. “This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.”

The next stage for Silence is dropping payload modules that spy on systems and employees, including via the screen monitor.

Scroll Up