![]() ![]() “This function open() decodes a block of data which then undergoes two layers of decoding with Base64 and XOR.”Īfter the data is decoded it forms a ClassID object which enables a malicious PowerShell script. ![]() “When the Microsoft Help viewer (hh.exe) loads this HTML object, it runs a JavaScript function named open(),” Mendrez said. The researcher said when the CHM file containers are uncompressed it consists of HTML objects, one of which is “Load_HTML_CHM0.html.” Persistence is then gained by creating a scheduled task to run the malware when the user logs in,” Mendrez said. “Once a user opens the CHM, it executes a small PowerShell command that downloads a second stage PowerShell script. CHM files have been used in several recent attacks including ones in November carried out by the Silence Gang. CHM files are interactive and can run JavaScript, for example, which the attackers use to redirect victims to external URLs. Currently only eight out of 60 AV scanners identified the CHM file attachments as malicious, he said.Īttackers are taking advantage of the proprietary Microsoft online help format called Microsoft Compiled HTML Help, or CHM. He added, the multiple stage infection technique used to deliver the Trojan is effective at obfuscating the malware from detection. Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave in a technical write-up outlining the research. Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |