[MART] - Daily Diary #478 - New Vidar Campaign Abusing Windows CHM Files

CTAS-MAT ctas-mat at appgate.com
Fri Mar 25 21:19:39 UTC 2022

I hope everyone is doing well!

Below is the entry for today.

03/25/2022 - Diary entry #478

Vidar is an information stealer compiled in C++. It's believed to be a form from Arkei, an older information stealer active in 2018. Among Vidar capabilities, we can highlight exfiltrating system information and data from browsers and installed applications. Vidar is modular. When activated in a system, it contacts the C2 server and downloads settings, dependencies and additional malware (if needed). All the exfiltrated information is sent back to the C2 operator. After the attack is done, Vidar can also delete its files in an attempt to cover its tracks.

In the last days, a new campaign spreading Vidar was disclosed, abusing Windows Compiled HTML Help files ( .CHM). CHM files are usually trusted manuals that can be found along with installed applications to guide the user on how to use a application or solve common problems. The format allows the developer to write those help manuals as a collection of HTML pages, with index and other navigation tools. Those pages can run small JavaScript stubs, and that's where the danger lies. In Vidar Campaigns, CHM files are attached to spam e-mails. When opened, the JavaScript stub downloads and executes Vidar on the infected machine.

This incident shows how careful we need to be with e-mail attachments regarding its format. Threat actors will attempt creative ways to use different file formats that are less likely to be analysed or detected by common security solutions, to embed malicious scripts and obfuscate their attacks.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220325/45c12ab2/attachment.htm>

More information about the MART mailing list