Vidar spyware is now hidden in Microsoft help files

A simple but effective phishing campaign

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new cybercrime campaign has been discovered that abusesMicrosoftHTML help files to distribute the Vidarmalware.

Cybersecurity researchers from Trustwave reported of a threat actor distributing Vidar through an email spam campaign. In it, the attackers would send a relatively generic-lookingemail, with the attachment file “request.doc”.

That file is not a .doc file, but instead, an .iso disk image, carrying two separate files: a Microsoft Compiled HTML Help file (CHM), often titled pss10r.chm, and an executable file, titled app.exe.

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time. Thank you for taking part.

Click here to start the survey in a new window«

The unpacked CHM file triggers a JavaScript snippet which quietly runs the app.exe file. That way, the Vidar malware is loaded onto the targetendpoint.

Vidar is described as a Windows spyware and an infostealer, capable of harvesting both user data, and the data on theoperating system. It is capable of pulling out cryptocurrency account credentials, as well as payment data, such as credit card details.

The .CHM file format is a Microsoft online extension file, used to access help files. The compressed HTML format allows for the distribution of images, tables and links. But the format can also be abused to load weaponized CHM objects.

In this particular case, the Vidar spyware connects to the command and control (C2) server via Mastodon.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Chinese tax software hides nasty spyware>What is phishing and how dangerous is it?>Everything you need to know about phishing

According to business software and services provider Entersoft, Vidar was introduced in December 2018, and is allegedly of Russian origin. The conclusion that the Russians built Vidar was drawn from the fact that the malware stops working if it realizes that it’s operating on an endpoint from an ex-USSR country, or that the keyboard has a Russian layout.

The malware is named after the God of Vengance from Norse mythology - known as Víðarr. It seems to be a variant of the Arkei malware.

As usual, the best way to protect against malware such as this one is to be extra careful when downloading attachments from emails, or clicking on links received in emails from unknown, or unexpected senders.

Via:ZDNet

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

iStorage Group acquires Kanguru Solutions as it looks to expand security offering