Microsoft Subnet An independent Microsoft community View more

Help files not helpful: Malicious CHM being used in CryptoWall 3.0 attack

Cybercrooks are using CHM, the Help file format, disguised as fax report emails, to infect PCs with CryptoWall ransomware.

Ransomware
Credit: Vstock LLC

Need a Help file? Hopefully it’s not one that includes ransomware. Malware researchers from Bitdefender Labs reported that Help files are the latest way cybercriminals are locking up PCs with CryptoWall, which is an advanced version of CryptoLocker.

On the first day of a new and active spam campaign last month, hundreds of mailboxes were hit with infected Help files. Bitdefender explained that using the Help file format is a “highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents.” CryptoWall 3.0 comes along with the Help files in the form of malicious .chm attachments.

CHM is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. HTML files are compressed and delivered as a binary file with the .chm extension. This format is made of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching.

These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. And it makes perfect sense: the less user interaction, the greater the chances of infection.

Users weren’t even attempting to access Help files. Instead, the CHM files appeared as if they were an incoming fax report email from a machine in the user’s domain. Bitdefender added:

Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.

chm help files infected with cryptowall ransomware Bitdefender Labs

It’s especially dangerous if a company still depends upon electronic faxes as it wouldn’t take much “tricking” to convince a user to open the fake fax report. Once the infected Help file CHM is opened, the malware downloader goes after the final payload. Boom, bye-bye data unless you backed up or pay the bitcoin ransom – which is something you should never do.

Just the same, it happened last month; Midlothian police, which is south of Chicago, paid a $500 bitcoin ransom to unlock a police PC that had been infected with Cryptoware, a cousin to CryptoLocker. The Sheriff’s Office in Dickinson, Tennessee, also chose to pay that ransom after CryptoWall locked up all of their “autopsy reports, witness statements and crime scene photographs.” Detective and IT director Jeff McCliss said, "Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files.”

Infected CHM files were a problem a decade ago, pointed out InfoWorld’s Woody Leonhard. It was such a problem that Microsoft addressed the issue in 2004 and took additional steps in 2005 to block access to CHM files on network shares. In 2007, Microsoft “officially abandoned” CHM when it released Windows Vista. Nevertheless, he added, even using a Windows 8.1 computer, users can double-click on Lync Server 2013 CHM documentation and it downloads, unzips and “brings up the ancient Help infrastructure” running in Internet Explorer 11.

Bitdefender reported that the email blast happened on Feb. 18 and targeted a couple hundred users. “The spam servers appear to be in Vietnam, India, Australia, US, Romania and Spain. After analyzing the recipient domain names, it looks like attackers are after users from around the world, including the US, Europe, Australia, the Netherlands, Denmark, Sweden and Slovakia.”

Cryptowall Immunizer Bitdefender

Bitdefender has a list of steps to help you avoid CryptoWall infections and reminds you to keep a copy of your data on external drives. Additionally, if you haven’t already done so then go download Bitdefender’s free Cryptowall Immunizer, a tool that allows users to immunize their computers and block any file encryption attempt before it happens.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.