Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

CHM Badness Delivers a Banking Trojan

Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online help file that consist of a collection of HTML pages compiled into a single compressed file format. The most common use of CHMs are for offline software documentation and help guides.

Recently we've observed a spam campaign that targets Brazilian institutions with emails with CHM attachments.

7789_08a63199-a587-4b0b-a4a8-e16547358f2e

Analysis

CHM are container files which, when uncompressed, consist of a collection of HTML objects. In this sample, the object of interest is Load_HTML_CHM0.html (Shown in the image below, which is the Secure Email Gateway unpack tree for the CHM file). This HTML is the primary object that gets loaded when the CHM file is opened.

9827_6df9dcef-853e-4441-8637-7160511931f1

11716_c6ef5abb-6fef-474e-a377-77f9c5c19054

When the Microsoft Help viewer (hh.exe) loads this HTML object, it runs a JavaScript function named open()

10436_8931b36f-9f4a-42b4-8472-1f16b4625dd3

This function open() decodes a block of data which then undergoes two layers of decoding with Base64 and XOR.

8047_148a4fe4-bfde-48e1-a1e1-65c91e70eb71

Next, the decoded data forms an object with a ClassID "adb880a6-d8ff-11cf-9377-00aa003b7a11" which enables the execution of the following malicious PowerShell (PS) script.

7851_0b45101d-bc74-48ad-ac6b-09f811ad6ec9

So the attack can fly under the radar, the PowerShell command runs silently in the background by terminating instances of "hh.exe" (a program that runs the CHM file) and setting the window-style as hidden. It then invokes a command encoded in Base64 that downloads a second stage PowerShell script hosted in Google Sites.

8771_3924acdb-d189-4874-ae0f-145201b9e9ff

11880_cdd133bd-be4d-49c9-bf64-a6d19646cc37

The second Payload downloads a bunch of Bancos Trojan binaries and components to the %Appdata%\Sysinit folder and then copied to %Appdata%\SysRun.

8915_414ddb83-9267-467a-bef6-5cf8b9884f53

These files however are renamed to random filenames when they are dropped to the infected system. In this example, files they are renamed to:

Download URL

Download Path and Renamed To

hxxps://sites[.]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/server.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\negoexts94.exe

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/CRYPTUI.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\CRYPTUI.dll

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/XSysInit.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\profprov.sys

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/mouse.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\KBDHE220.cur

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/base.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\dpnhpast.db

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/cmd.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\cryptui8t.exe

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/rmv.bin

C:\Users\<USERNAME>\AppData\Roaming\SysInit\wmidxdv.kdl

 

10577_9030ac3c-bbb3-4d26-801e-70d95c602155

The key component executable files are:

Server.bin – imports API from CRYPTUI.DLL that invokes the malicious code from the DLL
cmd.bin – this file is a legitimate command line tool application
XSysInit.bin – this binary is responsible for capturing mouse and keyboard events
CRYPTUI.DLL - loaded by the file server.bin responsible for initial reconnaissance and downloading additional payloads

Three scheduled tasks are then created to run the malware when the user logs in. It uses the name format AutoUpdater followed by 6 random alphanumeric characters (e.g. AutoUpdater8ga9ek ) as a task name.

11976_d2f4661c-72cf-4635-8615-74cca9d6b293

The system then undergoes a forced reboot executed by the malicious PowerShell script to ensure the malware executes.

The task scheduler runs the third party command line utility to execute Server.bin (was renamed to negoexts94.exe). This executable loads the component file CRYPTUI.DLL by importing the API CryptUIWizExport:

8077_169386c8-71f0-4486-b51b-7cf0fc1327cf

When the DLL is loaded, it spawns and injects its malicious code to a new process named iexpress.exe. It then obtains system information such username and computer name and reports back to its control server at 200.98.116.239:80.

9938_72fc2b52-a8ac-452d-a42c-b5fd96a718cd

It also attempts to download an additional payload hosted in Google Sites:

10887_9e5b0bf5-f791-4b3a-80cc-67d39f927215

Summary

9998_7635136d-3675-462e-a3ae-c30c51c49b09

 

The summary of the attack above highlights multiple stages of malware infection originating from an email with a trojanized CHM attachment. Once a user opens the CHM, it executes a small PowerShell command that downloads a second stage PowerShell script. Persistence is then gained by creating a scheduled task to run the malware when the user logs in.

The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample.

IOC

Download URL

SHA-256

hxxps://sites[.]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/server.bin

6d2dbba7e93600d624f2da77317e87130a25456213ba5a8cadfa90ee82932911

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/CRYPTUI.bin

b171e7aff8cbfc86a45cf7a943bdeb1e42de007bf7e90bc70edebadc476a05ea

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/XSysInit.bin

75c3e39dc2a6252a4ed535bd00ec78254313a687f51cb8f5b9f0c5a65d871f40

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/mouse.bin

5c7ab9e90b05804d07e9d803f85462bc1a44d0726256bad28219984ee2b5772f

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/base.bin

37b622aee65a0f9996e1d4a65c915629acb44927ecffc70b7c25318866620fcf

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/cmd.bin

31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5

hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/rmv.bin

c07f3c06663d350bff3349e09452c989a76c85d5920e3eb9be738f2069c57974



 

Latest SpiderLabs Blogs

Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense

On March 4, 2024, the Telegram channel of the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) was updated with assertions that they executed a successful cyberattack...

Read More

Cost Management Tips for Cyber Admins

As anyone who has filled out an expense report can tell you, cost management is everyone's responsibility. Organizations must apply a careful balance of budget planning and expenditures that are in...

Read More

Resurgence of BlackCat Ransomware

Updated March 8: Based on our experience, we believe that BlackCat's claim of shutting down due to law enforcement pressure is a hoax. We anticipate their return under a new guise or brand after...

Read More