Microsoft Help Files Disguise Vidar Malware

Attackers are hiding interesting malware in a boring place, hoping victims won’t bother to look.

Where’s the last place you’d expect to find malware? In an email from your mother? Embedded in software you trust and use everyday (actually, that’s probably the first place you should look)? How about in a technical documentation file?

In a report published Thursday, Trustwave SpiderLabs revealed a new phishing attack designed to plant the Vidar infostealer on target machines. The trick to this particular campaign is that it conceals its complex malware behind a Microsoft Compiled HTML Help (.CHM) file, Microsoft’s proprietary file format for help documentation saved in HTML. In other words, it’s the kind of file you almost never look at or even think about.

After all, what better place to hide something interesting than within something boring? That’s just what cyberattackers have done in a recent spate of data-stealing attacks: leverage .CHM files in a nested attack that prioritizes obfuscation.

The Latest Phish

Some threat actors will dedicate a tremendous amount of effort to diligently crafting a perfect phishing email. They copy a well-known brand’s graphics to a tee, and compose a perfect message conveying legitimacy and professionalism,

Read More: