Malicious CHM Files Being Used to Install Brazilian Banking Trojans

Discussion in 'malware problems & news' started by itman, Oct 5, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    Those poor Brazilians. I would think by now, most of their bank accounts have been cleaned out.
    https://www.bleepingcomputer.com/ne...ng-used-to-install-brazilian-banking-trojans/
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Very interesting! I thought I was reading an article from 2008. CHM exploits were quite common then.

    Here is a screen shot showing an exploit blocked attempting to copy to disk an executable, and you will notice the hh.exe file was called:

    chm-alert.gif

    A rather easy snag back then. Today, different protective methods would be needed -- of course, only needed should the user not take the wise precautions mentioned in the article.

    To be filed in the "Is anything new?" box.

    ----
    rich
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    @Rmus, there are things that "don't add up" in this attack.

    In Outlook and also when using Gmail via a browser for example, .chm attachments are blocked:
    Refs.: https://support.office.com/en-us/ar...e90-9124-8b81e49a8519?ui=en-US&rs=en-US&ad=US
    https://support.google.com/mail/answer/6590?hl=en

    Also .chm files are blocked when downloaded by other means since they contain "The Mark of the Web": https://community.spiceworks.com/topic/1961503-solved-windows-10-chm-help-files-showing-up-blank

    Perhaps the attack succeeded since the .chm attachment was part of an archive although I would think that both of the above would still apply? Most likely, the .chm attachments used a different file suffix. Per the above Microsoft article:
     
    Last edited: Oct 6, 2017
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    Also most folks are now monitoring all script engine execution including Powershell from any process. This would have detected the powershell.exe startup from hh.exe. This attack is really no different than ones that employ mshta.exe to do the same.
     
    Last edited: Oct 6, 2017
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    My goodness man. Users were advised to block scripts from Windows 98!

    Script Trap etc.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    In this instance, you would have to be monitoring powershell.exe startup directly since it didn't execute a script: htxps://twitter.com/azsxdvfbg/status/914861884830035968
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    PowerShell is/was supposed to be a new advancement for windows right? :eek:
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    Actually the correct version of that statement is; "PowerShell is/was supposed to be a new malware advancement for windows.":thumbd:
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    I would tend to agree if not for some usefulness as a replacement for command shell-.cmd-.bat files. The issues creep in when they don't replace anything but add yet another entry vector that can be so easily and readily exploited just as well as the previous ones they were supposed to replace.

    I think good ole micro bunch are stuck in their own boot loop :D
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I don't know, since I don't test exploits anymore, and without testing myself, I don't make any assumptions.

    ----
    rich

     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    What is Powershell?

    Just kidding... it is not installed on my system, and if it were, I would find a way to remove or disable it.

    ----
    rich
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,731
    Location:
    U.S.A.
    Actually, .chm files are similar to HTML files run by mshta.exe. You can't directly run an executable from them. In this attack, javacript was employed to run the "button" feature which was in reality powershell.exe. So if you were monitoring wscript execution from any process, you would have received an alert.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,427
    Location:
    Here
    https://threatpost.com/chm-help-files-deliver-brazilian-banking-trojan
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.