CHM Badness Delivers a Banking Trojan

Share this…

Like good old Microsoft Office Macros, Compiled HTML (CHM) Help files have been utilized by malware authors for more than a decade to sneak malicious downloader code into files making them harder to detect. CHMs are a Microsoft proprietary online help file that consist of a collection of HTML pages compiled into a single compressed file format. The most common use of CHMs are for offline software documentation and help guides.

Recently we’ve observed a spam campaign that targets Brazilian institutions with emails with CHM attachments.

Figure1

Analysis

CHM are container files which, when uncompressed, consist of a collection of HTML objects. In this sample, the object of interest is Load_HTML_CHM0.html (Shown in the image below, which is the Secure Email Gateway unpack tree for the CHM file). This HTML is the primary object that gets loaded when the CHM file is opened.

Figure2

Figure3

When the Microsoft Help viewer (hh.exe) loads this HTML object, it runs a JavaScript function named open()

Figure4

This function open() decodes a block of data which then undergoes two layers of decoding with Base64 and XOR.

Figure5

Next, the decoded data forms an object with a ClassID “adb880a6-d8ff-11cf-9377-00aa003b7a11” which enables the execution of the following malicious PowerShell (PS) script.

Figure6

So the attack can fly under the radar, the PowerShell command runs silently in the background by terminating instances of “hh.exe” (a program that runs the CHM file) and setting the window-style as hidden. It then invokes a command encoded in Base64 that downloads a second stage PowerShell script hosted in Google Sites.

Figure7

Figure8

The second Payload downloads a bunch of Bancos Trojan binaries and components to the %Appdata%\Sysinit folder and then copied to %Appdata%\SysRun.

Figure9

These files however are renamed to random filenames when they are dropped to the infected system. In this example, files they are renamed to:

Download URL Download Path and Renamed To
hxxps://sites[.]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/server.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\negoexts94.exe
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/CRYPTUI.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\CRYPTUI.dll
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/XSysInit.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\profprov.sys
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/mouse.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\KBDHE220.cur
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/base.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\dpnhpast.db
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/cmd.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\cryptui8t.exe
hxxps://sites].]google[.]com/site/79s564fg105s6f4gsg56sd4g0s54dg/rmv.bin C:\Users\<USERNAME>\AppData\Roaming\SysInit\wmidxdv.kdl

Figure10

The key component executable files are:

Server.bin – imports API from CRYPTUI.DLL that invokes the malicious code from the DLL
cmd.bin – this file is a legitimate command line tool application
XSysInit.bin – this binary is responsible for capturing mouse and keyboard events
CRYPTUI.DLL – loaded by the file server.bin responsible for initial reconnaissance and downloading additional payloads

Three scheduled tasks are then created to run the malware when the user logs in. It uses the name format AutoUpdater followed by 6 random alphanumeric characters (e.g. AutoUpdater8ga9ek ) as a task name.

Figure11

The system then undergoes a forced reboot executed by the malicious PowerShell script to ensure the malware executes.

The task scheduler runs the third party command line utility to execute Server.bin (was renamed to negoexts94.exe). This executable loads the component file CRYPTUI.DLL by importing the API CryptUIWizExport:

Figure12

When the DLL is loaded, it spawns and injects its malicious code to a new process named iexpress.exe. It then obtains system information such username and computer name and reports back to its control server at 200.98.116.239:80.

Figure13

It also attempts to download an additional payload hosted in Google Sites:

Figure14

Summary

Figure15

The summary of the attack above highlights multiple stages of malware infection originating from an email with a trojanized CHM attachment. Once a user opens the CHM, it executes a small PowerShell command that downloads a second stage PowerShell script. Persistence is then gained by creating a scheduled task to run the malware when the user logs in.

The use of multiple stages of infection is a typical approach for attackers to stay under radar of AV scanners. As a matter of fact, as of this writing only 8 out of 60 AV scanners can detect it more than a month after we discovered this sample.

Source:https://www.trustwave.com/Resources/SpiderLabs-Blog/CHM-Badness-Delivers-a-Banking-Trojan/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SpiderlabsAnterior+%28SpiderLabs+Anterior%29&utm_content=FeedBurner