Diana Lopera, Trustwave Cybersecurity researcher, has discovered something that is both interesting and disturbing.
A group of hackers is apparently trying a new way to distribute their malicious software. They are using Microsoft's HTML help files.
You did indeed read that right. This is an innovative technique that is not only surprising effective but also notoriously difficult to detect. It's also not a very sophisticated attack.
Here is a quick overview of the spyware process:
It all starts with an email. It usually contains a subject line with a generic attachment called "Request.doc" (or something similar).
This file is not a document, but a.iso file. A disk image. The image includes two files. The executable is one of the files. The other is a Microsoft Compiled HTML Help (CHM).
The executable can use the capabilities of the helpfile to install its malicious payload. Vidar is the malware strain.
Vidar then creates a link via Mastodon to its command and control server. Mastodon is an open-source multi-platform social networking system. Vidar then begins to extract user data from infected systems and exfiltrating it back to the command-and control server.
Vidar was also seen downloading and running additional malware payloads in at least one case.
This new campaign, whether sophisticated or not has proven to be extremely effective. Vidar could be used to track other malware payloads that end up on infected machines, making it a serious threat. These "other payloads" can be anything, from ransomware that will lock your network and malicious code that is optimized to steal bank information.
Make sure that your family, friends, and employees are well-informed. This code is dangerous.
More Trojan Style Malware Are Being Seen in Google Play Store
Dr. Web is a security researcher who goes under the pseudonym "Dr. Web has been monitoring suspicious increases in Trojan infiltration via the Google Play Store.
It is unclear if the surge was caused by a single, determined hacker group or if multiple groups were just focusing on the Play Store at the same time.
While a number of malware strains were found embedded in the Play Store's poisoned apps, the main focus has been on popular apps that have 500,000 or more installs. A new Android Trojan disguised in a WhatsApp Mod is also available.
There doesn't appear to be any clear pattern, except for apps with lots of installed. Many poisoned apps included cryptocurrency management tools, Gasprom investment-clones, and photo editors.
The gimmick, at least in the case of investment-oriented apps, was to get an unwitting user to open a new account and deposit money. This would then be siphoned off. For other apps, there would always be an invitation to sign up for costly subscription services.
Good news is that most of the harmful apps from the Play Store have been removed by the time this article was written. There are still some skeptics. The app "Top Navigation", which is poisoned, is available in the Play Store. It boasts over half a million installed.
While Google has been busy removing poisoned apps from its servers, the group behind this campaign has set their sights lower. With around 100,000 installed apps, they appear to be poisoning Advice Photo Power.
Bottom line: While the Play Store is generally safe, it is not an entirely safe source for malware-free applications so be vigilant.
Are you wondering if it is possible to really secure your company's network? Call Integrated Technology Systems for a thorough of your cybersecurity practices and possible vulnerabilities.
Integrated Technology Systems
6 East 45th Street, Suite 400
New York, NY 10017
212-750-5420
https://www.itsnyc.com/
