Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online help file that consist of a collection of HTML pages compiled into a single compressed file format. The most common use of CHMs are for offline software documentation and help guides.
Recently we’ve observed a spam campaign that targets Brazilian institutions with emails with CHM attachments.
CHM are container files which, when uncompressed, consist of a collection of HTML objects. In this sample, the object of interest is Load_HTML_CHM0.html (Shown in the image below, which is the Secure Email Gateway unpack tree for the CHM file). This HTML is the primary object that gets loaded when the CHM file is opened.
This function open() decodes a block of data which then undergoes two layers of decoding with Base64 and XOR.
Next, the decoded data forms an object with a ClassID “adb880a6-d8ff-11cf-9377-00aa003b7a11” which enables the execution of the following malicious PowerShell (PS) script.
So the attack can fly under the radar, the PowerShell command runs silently in the background by terminating instances of “hh.exe” (a program that runs the CHM file) and setting the window-style as hidden. It then invokes a command encoded in Base64 that downloads a second stage PowerShell script hosted in Google Sites.
The second Payload downloads a bunch of Bancos Trojan binaries and components to the %Appdata%\Sysinit folder and then copied to %Appdata%\SysRun.
These files however are renamed to random filenames when they are dropped to the infected system. In this example, files they are renamed to:
|Download URL||Download Path and Renamed To|
The key component executable files are:
Server.bin – imports API from CRYPTUI.DLL that invokes the malicious code from the DLL
cmd.bin – this file is a legitimate command line tool application
XSysInit.bin – this binary is responsible for capturing mouse and keyboard events
CRYPTUI.DLL – loaded by the file server.bin responsible for initial reconnaissance and downloading additional payloads
Three scheduled tasks are then created to run the malware when the user logs in. It uses the name format AutoUpdater followed by 6 random alphanumeric characters (e.g. AutoUpdater8ga9ek ) as a task name.
The system then undergoes a forced reboot executed by the malicious PowerShell script to ensure the malware executes.
The task scheduler runs the third party command line utility to execute Server.bin (was renamed to negoexts94.exe). This executable loads the component file CRYPTUI.DLL by importing the API CryptUIWizExport:
When the DLL is loaded, it spawns and injects its malicious code to a new process named iexpress.exe. It then obtains system information such username and computer name and reports back to its control server at 18.104.22.168:80.
It also attempts to download an additional payload hosted in Google Sites:
The summary of the attack above highlights multiple stages of malware infection originating from an email with a trojanized CHM attachment. Once a user opens the CHM, it executes a small PowerShell command that downloads a second stage PowerShell script. Persistence is then gained by creating a scheduled task to run the malware when the user logs in.
The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample.