Spyware Vidar hides in Microsoft help files

top cybersecurity companies

Distribution is currently via email spam. Vidar steals user data and credentials. The attackers hide the specially designed help files and a supplied executable file in an ISO image file.

The Vidar malware was discovered in a new phishing campaign that Microsoft HTML help files abused. As explained by Trustwave cybersecurity researcher Diana Lopera, the spyware is hidden in compiled CHM files to avoid detection in spam email campaigns.

Vidar is a Windows spyware and information stealing program that can be acquired by cyber criminals. Vidar can intercept operating system and user credentials, online service and cryptocurrency credentials, and credit card information.

According to Trustwave, the email campaign that Vidar distributes is far from sophisticated. The message contains a generic subject line and an attachment “request.doc” which is actually an .iso disk image.

The .iso file contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable file (app.exe).

The compressed HTML format of CHM files can contain text, images, tables and links – if used lawfully. However, if attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.

When a malicious CHM file is extracted, a JavaScript snippet silently executes app.exe, and although both files must be in the same directory, this can trigger the Vidar payload to run.

Leave a Reply

Your email address will not be published.