Targets who engage with the files could have their data stolen, including personal information. The threat actors are targeting Microsoft compiles HTML help (CHM) files. While these are not widely used by the company anymore, they are still on Windows systems to give help documents for the platform. Vidar is a malware that mimics CHM files. Attackers send the package through an email, so there is a phishing component to this threat too. ISOs sent through the email will be disguised as a “request.doc” file. This is designed to look like a real Microsoft file, so unsuspecting users may fall for the trap. The request.doc ISO has malicious files inside:
A corrupt Microsoft CHM that SpiderLabs calls “pss10r.chm.” An executable called “app.exe.”
Attack
If a Windows users extracts the files, the system becomes infected. It is worth noting the pss10r.chm CHM is a legitimate Microsoft file. However, coupled with the Vidar exe file, it become malicious. “Vidar creates its own folder at C:\ProgramData. The data it collected from the infected system are saved on C:\ProgramData<random>\files. Then, this is archived at C:\ProgramData<random><machine GUID>.zip and sent to the C&C.” The CHM allows the Vidar exe to run and deliver its payloads. SpiderLabs breaks down the specifics of the attack in its official report. Once on a machine, Vidar steals information from browsing activity and other Windows services. Tip of the day: Do you often experience PC freezes or crashs with Blue Screens of Death (BSOD)? Then you should use Windows Memory Diagnostic to test your computers RAM for any problems that might be caused from damaged memory modules. It is a tool built Microsoft which can be launched at startup to run various memory checks.