October 10, 2017 By Douglas Bonderud 2 min read

Another day, another banking Trojan. As reported by Bleeping Computer, a security researcher discovered a Brazilian-based email attack that masquerades as an email from WhatsApp, then runs PowerShell commands to download and install financial malware.

Malicious CHM Files Mask Banking Trojan

While most current malware spam efforts rely on JavaScript (JS) or Visual Basic Script (VBScript) attachments, the newest iteration uses files that claim to be WhatsApp conversation logs. If a user with a Brazilian IP address clicks the embedded link, a zip file containing the malicious CHM — a compiled HTML attachment —is downloaded, which launches the Microsoft HTML Help program (hh.exe) to display the HTML file.

By modifying the legitimate Transmission Control Protocol (TCP) IPv4 help file, attackers embedded an OCX object that launches a PowerShell command. This command connects to a remote URL and downloads the malware package, which is then installed across multiple directories and launches malicious CHM files every half hour to ensure the Trojan is up to date and malware stays active.

This isn’t a new technique — PowerShell-based attacks were first described 12 years ago. However, the method remains successful, with just 16 percent of antivirus programs stopping these emails before they reach corporate networks. On the upside, the Trojan only checks for Brazilian IP addresses, so if connections are outside the area, the malware isn’t installed.

Trust Issues

According to SC Magazine, a more traditional Java archive (JAR)-based attack is also ramping up in Brazil. Victims are phished using a Portuguese message that asks them to open a Boleto invoice, a popular mode of payment in Brazil that is similar to PayPal. This sends them to a RAR library, where a JAR file is downloaded.

Double-clicking this file activates a Java process that downloads the banking Trojan. The attackers attempt to bypass security tools using a legitimate VMware binary, which primes security solutions to trust subsequent library requests.

Beating Bank Security Breaches

While both of these attack vectors are native to Brazil and unlikely to spread outside the country, continual efforts by malicious actors — both reaching back into the past for CHM attacks and looking forward to binary deception — speak to the insatiable appetite for users’ financial data. In this respect, Brazil makes sense, since cybersecurity education remains in the early stages for most average users.

But it’s also a wake-up call for users worldwide. From macro-based attacks to side-loading Dynamic Link Libraries (DLLs) and running PowerShell scripts, attackers are always looking for new ways to fool security tools and fly under the radar as supposedly legitimate processes.

So how do organizations and individuals beat bank security breaches? If users refuse to click through to malicious email attachments and open files they aren’t expecting, attackers lose their edge. While security tools are constantly evolving to detect errant behavior and correct for the natural instinct of users to trust supposedly urgent emails, better decision-making remains the best defense against evolving malware threats.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today