The Vidar malware was discovered in a new phishing campaign thatHTML help files abused. As explained by Trustwave cybersecurity researcher Diana Lopera, the spyware is hidden in compiled CHM files to avoid detection in spam email campaigns.
Vidar is a Windows spyware and information stealing program that can be acquired by cyber criminals. Vidar can intercept operating system and user credentials, online service and cryptocurrency credentials, and credit card information.
According to Trustwave, the email campaign that Vidar distributes is far from sophisticated. The message contains a generic subject line and an attachment “request.doc” which is actually an .iso disk image.
The .iso file contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable file (app.exe).
The compressed HTML format of CHM files can contain text, images, tables and links – if used lawfully. However, if attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.