Another day, another banking Trojan. As reported by Bleeping Computer, a security researcher discovered a Brazilian-based email attack that masquerades as an email from WhatsApp, then runs PowerShell commands to download and install financial malware.
Malicious CHM Files Mask Banking Trojan
While most current malware spam efforts rely on JavaScript (JS) or Visual Basic Script (VBScript) attachments, the newest iteration uses files that claim to be WhatsApp conversation logs. If a user with a Brazilian IP address clicks the embedded link, a zip file containing the malicious CHM — a compiled HTML attachment —is downloaded, which launches the Microsoft HTML Help program (hh.exe) to display the HTML file.
By modifying the legitimate Transmission Control Protocol (TCP) IPv4 help file, attackers embedded an OCX object that launches a PowerShell command. This command connects to a remote URL and downloads the malware package, which is then installed across multiple directories and launches malicious CHM files every half hour to ensure the Trojan is up to date and malware stays active.
This isn’t a new technique — PowerShell-based attacks were first described 12 years ago. However, the method remains successful, with just 16 percent of antivirus programs stopping these emails before they reach corporate networks. On the upside, the Trojan only checks for Brazilian IP addresses, so if connections are outside the area, the malware isn’t installed.
Trust Issues
According to SC Magazine, a more traditional Java archive (JAR)-based attack is also ramping up in Brazil. Victims are phished using a Portuguese message that asks them to open a Boleto invoice, a popular mode of payment in Brazil that is similar to PayPal. This sends them to a RAR library, where a JAR file is downloaded.
Double-clicking this file activates a Java process that downloads the banking Trojan. The attackers attempt to bypass security tools using a legitimate VMware binary, which primes security solutions to trust subsequent library requests.
Beating Bank Security Breaches
While both of these attack vectors are native to Brazil and unlikely to spread outside the country, continual efforts by malicious actors — both reaching back into the past for CHM attacks and looking forward to binary deception — speak to the insatiable appetite for users’ financial data. In this respect, Brazil makes sense, since cybersecurity education remains in the early stages for most average users.
But it’s also a wake-up call for users worldwide. From macro-based attacks to side-loading Dynamic Link Libraries (DLLs) and running PowerShell scripts, attackers are always looking for new ways to fool security tools and fly under the radar as supposedly legitimate processes.
So how do organizations and individuals beat bank security breaches? If users refuse to click through to malicious email attachments and open files they aren’t expecting, attackers lose their edge. While security tools are constantly evolving to detect errant behavior and correct for the natural instinct of users to trust supposedly urgent emails, better decision-making remains the best defense against evolving malware threats.