SpiderLabs, the security team at the cybersecurity firm Trustwave, has warned Windows users about a new malware campaign called Vidar that disguises itself as Microsoft support or help file. As such, unsuspecting users may easily fall victim and Vidar, which is a stealer malware, can steal information of the exploited victims.
Microsoft compiled HTML help (CHM) files, although a bit uncommon now, are used to provide various help documents and such. This malicious Vidar CHM malware is distributed via email in the form of ISO which acts as the container. The ISO is disguised as a "request.doc" file.
Inside this request.doc ISO file, there are a couple of malicious files, a Microsoft Compiled HTML Help (CHM) dubbed “pss10r.chm” and an executable dubbed “app.exe”. Once the user is tricked into extracting these files, the user system is compromised. The former, “pss10r.chm”, is actually a legitimate file in general but the accompanying exe file is the Vidar.
Here's a comparison image of a legitimate “pss10r.chm” against the malicious one used in this Vidar campaign:
The purpose of the malicious CHM is to run the other file, the app.exe that contains the Vidar malware, to successfully deliver the payload. You can find more technical details in the official blog post.
As mentioned above, Vidar is stealer malware that steals information and data from browsers, among other places. The campaign is similar to the RedLine malware campaign that we learned about in February.