A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org, Bitdefender labs has found a spam wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can redirect a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.” ====================================== 1-https://isc.sans.edu/diary/Traffic+Patterns+For+CryptoWall+3.0/19203 2-https://isc.sans.edu/forums/diary/Pay+attention+to+Cryptowall/18243/ 3-http://www.net-security.org/malware_news.php?id=2981&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29 |
Basil 60 Posts ISC Handler Mar 6th 2015 |
Thread locked Subscribe |
Mar 6th 2015 7 years ago |
interesting. didn't realize CHM files could both download and execute things.
so definitely not user interaction required? |
Mallory Bobalice 28 Posts |
Quote |
Mar 7th 2015 7 years ago |
https://twitter.com/ithurricanept
interesting poc (or maybe sample judging by the poc domain). chm with embedded 1x1 active-x button. clsid referring to Hhctrl.ocx (CHM as well) JS autorun - auto-clicks the button, active-x object calls cmd, calls powershell, dls and execs code. Curious. |
Mallory Bobalice 28 Posts |
Quote |
Mar 7th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!