Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan.
Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researcher at Trustwave in a technical write-up outlining the research.
He added, the multiple stage infection technique used to deliver the Trojan is effective at obfuscating the malware from detection. Currently only eight out of 60 AV scanners identified the CHM file attachments as malicious, he said.
“Once a user opens the CHM, it executes a small PowerShell command that downloads a second stage PowerShell script. Persistence is then gained by creating a scheduled task to run the malware when the user logs in,” Mendrez said.
The researcher said when the CHM file containers are uncompressed it consists of HTML objects, one of which is “Load_HTML_CHM0.html.”
After the data is decoded it forms a ClassID object which enables a malicious PowerShell script.
“So the attack can fly under the radar, the PowerShell command runs silently in the background by terminating instances of “hh.exe” (a program that runs the CHM file) and setting the window-style as hidden. It then invokes a command encoded in Base64 that downloads a second stage PowerShell script hosted in Google Sites,” the researcher wrote.
That triggers a second Bancos Trojan binary to be downloaded to the “%Appdata%\Sysinit” folder and then copied to “%Appdata%\SysRun,” he said. Key executable binaries downloaded are Server.bin, cmd.bin, XSysInit.bin (used to capture mouse and keyboard activity) and CRYPTUI.DLL (capable of downloading additional payloads).
The attack sequence includes three scheduled tasks. One is to run the malware when the user logs in. The second is forcing the targeted system to reboot via a malicious PowerShell script. Lastly, the Server.bin is executed which loads the file CRYPTUI.DLL, which can download new payloads.
“When the DLL is loaded (CRYPTUI.DLL), it spawns and injects its malicious code to a new process named iexpress.exe. It then obtains system information such username and computer name and reports back to its control server,” the researcher wrote.
“The attack above highlights multiple stages of malware infection originating from an email with a trojanized CHM attachment… The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample,” Mendrez said.