Cryptowall ,again!

Published: 2015-03-06
Last Updated: 2015-03-06 11:23:32 UTC
by Basil Alawi S.Taher (Version: 1)
2 comment(s)

A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems.

According to, Bitdefender labs has found a spam wave that spread a malicious .chm attachments.

CHM is the compiled version of html that support technologies such as JavaScript which can redirect a user to an external link.

“Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.”





2 comment(s)


interesting. didn't realize CHM files could both download and execute things.
so definitely not user interaction required?

interesting poc (or maybe sample judging by the poc domain).
chm with embedded 1x1 active-x button. clsid referring to Hhctrl.ocx (CHM as well)
JS autorun - auto-clicks the button, active-x object calls cmd, calls powershell, dls and execs code. Curious.

Diary Archives