Spyware campaign uses Microsoft Help files to avoid detection

What you need to know

• Threat actors are hiding Vidar spyware inside Microsoft Compiled HTML Help files.
• Vidar can be used to steal information from a person's PC.
• An email campaign claims to have a document that people need to download, but it actually contains the Vidar spyware hidden as a help file.

Threat actors are hiding Vidar spyware inside Microsoft Compiled HTML Help (CHM) files as part of an email spam campaign. Vidar can be used to steal information from a computer, such as user data. The stolen information can be quite valuable, including credit card information and account details. Trustwave's Diana Lopera broke down the attack campaign in a recent post (via ZDNet).

The attack uses an age-old strategy of getting people to download seemingly innocent files that are actually malicious. This isn't a new attack strategy by any means. Threat actors often make malicious files appear to be helpful or important documents. This causes people to bypass security measures, approve downloads, and open many other avenues for attacking a PC.

In this specific campaign, an email is spammed out with a CHM file labeled "request.doc." That file contains an ISO image that has an executable file and a CHM file. If unpacked, the CHM file can run an EXE to spread the Vidar spyware.

Microsoft Compiled HTML Help files are meant to be used to share useful information and documentation. Unsuspecting victims that download the email attachment may assume that they're getting something important rather than spyware.

To protect yourself against this campaign, you should implement the standard protections against email spam, such as making sure you know where an email originates before you download any attachments. It's also a good idea to use the best antivirus software to protect your PC.