Fake Microsoft customer support and help file is actually Vidar malware that steals info

A person typing on a keyboard in a dark room
via Anete Lusina (Pexels)

SpiderLabs, the security team at the cybersecurity firm Trustwave, has warned Windows users about a new malware campaign called Vidar that disguises itself as Microsoft support or help file. As such, unsuspecting users may easily fall victim and Vidar, which is a stealer malware, can steal information of the exploited victims.

Microsoft compiled HTML help (CHM) files, although a bit uncommon now, are used to provide various help documents and such. This malicious Vidar CHM malware is distributed via email in the form of ISO which acts as the container. The ISO is disguised as a "request.doc" file.

Vidar malware

Inside this request.doc ISO file, there are a couple of malicious files, a Microsoft Compiled HTML Help (CHM) dubbed “pss10r.chm” and an executable dubbed “app.exe”. Once the user is tricked into extracting these files, the user system is compromised. The former, “pss10r.chm”, is actually a legitimate file in general but the accompanying exe file is the Vidar.

Here's a comparison image of a legitimate “pss10r.chm” against the malicious one used in this Vidar campaign:

Vidar malware

The purpose of the malicious CHM is to run the other file, the app.exe that contains the Vidar malware, to successfully deliver the payload. You can find more technical details in the official blog post.

As mentioned above, Vidar is stealer malware that steals information and data from browsers, among other places. The campaign is similar to the RedLine malware campaign that we learned about in February.

Report a problem with article
ebook offer
Next Article

IoT Prediction report 2022 - Free Download

The ProtonMail logo on a mountainous background
Previous Article

Proton confirms a ProtonMail app for Windows is in the works but it's far from ready

Join the conversation!

Login or Sign Up to read and post a comment.

9 Comments - Add comment