The Vidar spyware has been spotted in a new phishing attack that exploits Microsoft HTML help files. Threat actors are obfuscating the spyware in the Microsoft Compiled HTML Help files to bypass detection and avoid email spam detection from security solutions.
Moreover, the malware is also an infostealer and Windows spyware that its developers sell to other cybercriminals. It can harvest operating system data, user information, credit card details, and cryptocurrency account credentials.
Although the threat actors deploy the Vidar malware through phishing campaigns, researchers have discovered that the C++ malware is spread via pay-per-install PrivateLoader payload and uses a Fallout exploit tool.
Vidar is threatening spyware, but it is not as sophisticated as other infostealer.
Spreading Vidar’s email campaign is not a sophisticated attack since the email contains a generic subject line. Furthermore, threat actors labeled the attachment as a request[.]doc, commonly an [.]iso disk image which contains two files, such as executable (app[.]exe) and a Microsoft Compiled HTML Help (CHM).
Researchers said that the CHM format is an MS online extension file for opening documentation and help files, and the compressed HTML format could store text, tables, links, and images.
If a threat actor exploits the CHM, they can utilise the format to mandate the Microsoft Help Viewer to load CHM objects.
Afterward, a JavaScript snippet will secretly run the app[.]exe when the Help Viewer releases a malicious CHM file. Although both files must be in the same directory, it can still trigger the operation of the Vidar payload.
The Vidar samples acquired by the security researchers have been connected to their command-and-control server. The analysis revealed that the threat actors search specific profiles and gather command-and-control addresses from the user profile bio sections.
This function enables the malware to prepare its configuration and operate the data harvesting process. Lastly, researchers have observed Vidar downloading and running additional malware payloads.