Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cryptowall ,again! - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cryptowall ,again!

A new variant Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems.

According to, Bitdefender labs has found a spam wave that spread a malicious .chm attachments.

CHM is the compiled version of html that support technologies such as JavaScript which can redirect a user to an external link.

“Once the content of the .chm archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.”






54 Posts
ISC Handler
interesting. didn't realize CHM files could both download and execute things.
so definitely not user interaction required?
Mallory Bobalice

28 Posts Posts

interesting poc (or maybe sample judging by the poc domain).
chm with embedded 1x1 active-x button. clsid referring to Hhctrl.ocx (CHM as well)
JS autorun - auto-clicks the button, active-x object calls cmd, calls powershell, dls and execs code. Curious.
Mallory Bobalice

28 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!