Search This Blog

Vidar Spyware Exploits Microsoft Help Files to Bypass Detection

Attackers are employing an age-old strategy of tricking people to download seemingly innocent files that are actually malicious.


Vidar spyware has been discovered in a new phishing campaign that exploits Microsoft HTML help files. The spyware is hidden in Microsoft Compiled HTML Help (CHM) files to bypass detection in email spam campaigns, Trustwave cybersecurity expert Diana Lopera stated. 

Vidar is Windows spyware and an information stealer capable of harvesting both user data and data on the operating system, cryptocurrency account credentials as well as payment details such as credit card details. 

While threat actors often distribute malware via spam and phishing campaigns, Trustwave researchers have also uncovered the C++ malware being deployed via the pay-per-install PrivateLoader dropper, and the Fallout exploit kit. 

According to researchers, threat actors employ an age-old strategy of tricking people to download seemingly innocent files that are actually malicious. The malicious files contain a generic subject line and an attachment, "request.doc," which is actually a .iso disk image. The .iso contains two separate files: a Microsoft-compiled HTML help file (CHM), often titled pss10r.chm, and an executable file titled app.exe. 

The CHM format is a Microsoft online extension file used for accessing documentation and help files. The compressed HTML format allows the distribution of images, tables and links. However, when malicious actors abuse CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to deploy CHM objects. 

When a malicious CHM file is unpacked, a JavaScript snippet will silently execute app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload. 

The Vidar samples gathered by the attacker’s link to their command-and-control (C2) server via Mastodon, a multi-platform open-source social networking system. Specific profiles are searched, and C2 addresses are collected from user profile bio sections. This allows the spyware to design its configuration and start exfiltrating user data. 

To protect yourself against this campaign, you should strictly follow the standard protections against email spam, such as ensuring the source of email before downloading any attachments. It's also a good idea to use the best antivirus software to protect your PC. 

"Since this Vidar campaign utilizes social engineering and phishing, ongoing security awareness training for your staff is essential. Organizations should also consider implementing a secure email gateway for 'defense in depth' layered security in order to filter these types phishing attacks before they even get to any inboxes,” stated Karl Sigler, Trustwave threat intelligence manager. 

"Vidar itself is an information stealer type of malware. It grabs as much data as it can from the victim's system, sends it back to the attackers, and then deletes itself. This includes any local password stores, web browser cookies, crypto wallets, contact databases, and other types of potentially valuable data."
Share it:

Malicious Files


Phishing Camapign