Cryptowall ,again!

A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems.

According to, Bitdefender labs has found a spam wave that spread a malicious .chm attachments.

CHM is the compiled version of html that support technologies such as JavaScript which can redirect a user to an external link.

“Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.”






60 Posts
ISC Handler
Mar 6th 2015
interesting. didn't realize CHM files could both download and execute things.
so definitely not user interaction required?
Mallory Bobalice

28 Posts

interesting poc (or maybe sample judging by the poc domain).
chm with embedded 1x1 active-x button. clsid referring to Hhctrl.ocx (CHM as well)
JS autorun - auto-clicks the button, active-x object calls cmd, calls powershell, dls and execs code. Curious.
Mallory Bobalice

28 Posts

Sign Up for Free or Log In to start participating in the conversation!