At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Info Stealer Malware Vidar Uses Microsoft Help Files to Launch Attacks

    Info Stealer Malware Vidar Uses Microsoft Help Files to Launch Attacks

    It appears that the use of Microsoft CHM files is gaining popularity, and from the way this latest attack works, it’s a rather ingenious and flexible method that could become more prevalent.

    What attackers need is some kind of malicious platform or app that can execute code, launch other apps, and perform tasks. We’ve seen a lot of use of Java, PowerShell, etc. But a new attack found by security researchers at Trustwave uses Microsoft Compiled HTML Help (CHM) files. What makes CHM files so powerful is that they can make the Microsoft Help Viewer (a legitimate program) load CHM objects, which can include additional malicious content or code. While CHM files are most definitely not a scripting language, it does provide threat actors with a powerful way to live off the land.

    In the case of the most recent attack, the initial attack uses a phishing email with an ISO file. Once opened, the ISO file contains a java snippet that launches an included executable that loads the CHM files. The CHM file is used to load Vidar, a nasty information stealer that can harvest data, online and cryptocurrency account credentials, credit card information, and more. We also have seen CHM files used in a recent CryptoWall attack, showing that there is potential to see more of CHM in future initial attacks.

    The good news is that this latest Vidar attack uses a pretty rudimentary phishing attack to be launched in the form of a simple email with an attachment:

    Info Stealer Malware Vidar Uses Microsoft Help Files to Launch Attacks

    Users that have taken Security Awareness Training will be able to spot this type of attack a mile away and simply delete the email, rather than engage with its malicious content.

    Free Phish Alert Button

    Do your users know what to do when they receive a phishing email? KnowBe4’s Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user’s inbox to prevent future exposure. All with just one click! Phish Alert benefits: 

    home-KnowBe4-Phish-Alert-2

    Here’s how it works:

    • Reinforces your organization’s security culture
    • Users can report suspicious emails with just one click
    • Incident Response gets early phishing alerts from users, creating a network of “sensors”
    • Email is deleted from the user’s inbox to prevent future exposure
    • Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
    Get Your Phish Alert Button!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/free-phish-alert-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top