October 10, 2017 By Douglas Bonderud 2 min read

Another day, another banking Trojan. As reported by Bleeping Computer, a security researcher discovered a Brazilian-based email attack that masquerades as an email from WhatsApp, then runs PowerShell commands to download and install financial malware.

Malicious CHM Files Mask Banking Trojan

While most current malware spam efforts rely on JavaScript (JS) or Visual Basic Script (VBScript) attachments, the newest iteration uses files that claim to be WhatsApp conversation logs. If a user with a Brazilian IP address clicks the embedded link, a zip file containing the malicious CHM — a compiled HTML attachment —is downloaded, which launches the Microsoft HTML Help program (hh.exe) to display the HTML file.

By modifying the legitimate Transmission Control Protocol (TCP) IPv4 help file, attackers embedded an OCX object that launches a PowerShell command. This command connects to a remote URL and downloads the malware package, which is then installed across multiple directories and launches malicious CHM files every half hour to ensure the Trojan is up to date and malware stays active.

This isn’t a new technique — PowerShell-based attacks were first described 12 years ago. However, the method remains successful, with just 16 percent of antivirus programs stopping these emails before they reach corporate networks. On the upside, the Trojan only checks for Brazilian IP addresses, so if connections are outside the area, the malware isn’t installed.

Trust Issues

According to SC Magazine, a more traditional Java archive (JAR)-based attack is also ramping up in Brazil. Victims are phished using a Portuguese message that asks them to open a Boleto invoice, a popular mode of payment in Brazil that is similar to PayPal. This sends them to a RAR library, where a JAR file is downloaded.

Double-clicking this file activates a Java process that downloads the banking Trojan. The attackers attempt to bypass security tools using a legitimate VMware binary, which primes security solutions to trust subsequent library requests.

Beating Bank Security Breaches

While both of these attack vectors are native to Brazil and unlikely to spread outside the country, continual efforts by malicious actors — both reaching back into the past for CHM attacks and looking forward to binary deception — speak to the insatiable appetite for users’ financial data. In this respect, Brazil makes sense, since cybersecurity education remains in the early stages for most average users.

But it’s also a wake-up call for users worldwide. From macro-based attacks to side-loading Dynamic Link Libraries (DLLs) and running PowerShell scripts, attackers are always looking for new ways to fool security tools and fly under the radar as supposedly legitimate processes.

So how do organizations and individuals beat bank security breaches? If users refuse to click through to malicious email attachments and open files they aren’t expecting, attackers lose their edge. While security tools are constantly evolving to detect errant behavior and correct for the natural instinct of users to trust supposedly urgent emails, better decision-making remains the best defense against evolving malware threats.

More from

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today