Need a Help file? Hopefully it’s not one that includes ransomware. Malware researchers from Bitdefender Labs reported that Help files are the latest way cybercriminals are locking up PCs with CryptoWall, which is an advanced version of CryptoLocker.
On the first day of a new and active spam campaign last month, hundreds of mailboxes were hit with infected Help files. Bitdefender explained that using the Help file format is a “highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents.” CryptoWall 3.0 comes along with the Help files in the form of malicious .chm attachments.
Users weren’t even attempting to access Help files. Instead, the CHM files appeared as if they were an incoming fax report email from a machine in the user’s domain. Bitdefender added:
Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.
It’s especially dangerous if a company still depends upon electronic faxes as it wouldn’t take much “tricking” to convince a user to open the fake fax report. Once the infected Help file CHM is opened, the malware downloader goes after the final payload. Boom, bye-bye data unless you backed up or pay the bitcoin ransom – which is something you should never do.
Just the same, it happened last month; Midlothian police, which is south of Chicago, paid a $500 bitcoin ransom to unlock a police PC that had been infected with Cryptoware, a cousin to CryptoLocker. The Sheriff’s Office in Dickinson, Tennessee, also chose to pay that ransom after CryptoWall locked up all of their “autopsy reports, witness statements and crime scene photographs.” Detective and IT director Jeff McCliss said, "Every sort of document that you could develop in an investigation was in that folder. There was a total of 72,000 files.”
Infected CHM files were a problem a decade ago, pointed out InfoWorld’s Woody Leonhard. It was such a problem that Microsoft addressed the issue in 2004 and took additional steps in 2005 to block access to CHM files on network shares. In 2007, Microsoft “officially abandoned” CHM when it released Windows Vista. Nevertheless, he added, even using a Windows 8.1 computer, users can double-click on Lync Server 2013 CHM documentation and it downloads, unzips and “brings up the ancient Help infrastructure” running in Internet Explorer 11.
Bitdefender reported that the email blast happened on Feb. 18 and targeted a couple hundred users. “The spam servers appear to be in Vietnam, India, Australia, US, Romania and Spain. After analyzing the recipient domain names, it looks like attackers are after users from around the world, including the US, Europe, Australia, the Netherlands, Denmark, Sweden and Slovakia.”
Bitdefender has a list of steps to help you avoid CryptoWall infections and reminds you to keep a copy of your data on external drives. Additionally, if you haven’t already done so then go download Bitdefender’s free Cryptowall Immunizer, a tool that allows users to immunize their computers and block any file encryption attempt before it happens.