Malicious CHM Files Being Used to Install Brazilian Banking Trojans

Those poor Brazilians. I would think by now, most of their bank accounts have been cleaned out.

https://www.bleepingcomputer.com/ne...ng-used-to-install-brazilian-banking-trojans/

 

Very interesting! I thought I was reading an article from 2008. CHM exploits were quite common then.

Here is a screen shot showing an exploit blocked attempting to copy to disk an executable, and you will notice the hh.exe file was called:



A rather easy snag back then. Today, different protective methods would be needed -- of course, only needed should the user not take the wise precautions mentioned in the article.

To be filed in the "Is anything new?" box.

----
rich

 

@Rmus, there are things that "don't add up" in this attack.

In Outlook and also when using Gmail via a browser for example, .chm attachments are blocked:
Refs.: https://support.office.com/en-us/ar...e90-9124-8b81e49a8519?ui=en-US&rs=en-US&ad=US
https://support.google.com/mail/answer/6590?hl=en

Also .chm files are blocked when downloaded by other means since they contain "The Mark of the Web": https://community.spiceworks.com/topic/1961503-solved-windows-10-chm-help-files-showing-up-blank

Perhaps the attack succeeded since the .chm attachment was part of an archive although I would think that both of the above would still apply? Most likely, the .chm attachments used a different file suffix. Per the above Microsoft article:

 

Also most folks are now monitoring all script engine execution including Powershell from any process. This would have detected the powershell.exe startup from hh.exe. This attack is really no different than ones that employ mshta.exe to do the same.

 

My goodness man. Users were advised to block scripts from Windows 98!

Script Trap etc.

 

In this instance, you would have to be monitoring powershell.exe startup directly since it didn't execute a script: htxps://twitter.com/azsxdvfbg/status/914861884830035968

 

PowerShell is/was supposed to be a new advancement for windows right?

 

Actually the correct version of that statement is; "PowerShell is/was supposed to be a new malware advancement for windows."

 

I would tend to agree if not for some usefulness as a replacement for command shell-.cmd-.bat files. The issues creep in when they don't replace anything but add yet another entry vector that can be so easily and readily exploited just as well as the previous ones they were supposed to replace.

I think good ole micro bunch are stuck in their own boot loop

 

I don't know, since I don't test exploits anymore, and without testing myself, I don't make any assumptions.

----
rich

 

What is Powershell?

Just kidding... it is not installed on my system, and if it were, I would find a way to remove or disable it.

----
rich

 

Actually, .chm files are similar to HTML files run by mshta.exe. You can't directly run an executable from them. In this attack, javacript was employed to run the "button" feature which was in reality powershell.exe. So if you were monitoring wscript execution from any process, you would have received an alert.

 

https://threatpost.com/chm-help-files-deliver-brazilian-banking-trojan