October 10, 2017 By Douglas Bonderud 2 min read

Another day, another banking Trojan. As reported by Bleeping Computer, a security researcher discovered a Brazilian-based email attack that masquerades as an email from WhatsApp, then runs PowerShell commands to download and install financial malware.

Malicious CHM Files Mask Banking Trojan

While most current malware spam efforts rely on JavaScript (JS) or Visual Basic Script (VBScript) attachments, the newest iteration uses files that claim to be WhatsApp conversation logs. If a user with a Brazilian IP address clicks the embedded link, a zip file containing the malicious CHM — a compiled HTML attachment —is downloaded, which launches the Microsoft HTML Help program (hh.exe) to display the HTML file.

By modifying the legitimate Transmission Control Protocol (TCP) IPv4 help file, attackers embedded an OCX object that launches a PowerShell command. This command connects to a remote URL and downloads the malware package, which is then installed across multiple directories and launches malicious CHM files every half hour to ensure the Trojan is up to date and malware stays active.

This isn’t a new technique — PowerShell-based attacks were first described 12 years ago. However, the method remains successful, with just 16 percent of antivirus programs stopping these emails before they reach corporate networks. On the upside, the Trojan only checks for Brazilian IP addresses, so if connections are outside the area, the malware isn’t installed.

Trust Issues

According to SC Magazine, a more traditional Java archive (JAR)-based attack is also ramping up in Brazil. Victims are phished using a Portuguese message that asks them to open a Boleto invoice, a popular mode of payment in Brazil that is similar to PayPal. This sends them to a RAR library, where a JAR file is downloaded.

Double-clicking this file activates a Java process that downloads the banking Trojan. The attackers attempt to bypass security tools using a legitimate VMware binary, which primes security solutions to trust subsequent library requests.

Beating Bank Security Breaches

While both of these attack vectors are native to Brazil and unlikely to spread outside the country, continual efforts by malicious actors — both reaching back into the past for CHM attacks and looking forward to binary deception — speak to the insatiable appetite for users’ financial data. In this respect, Brazil makes sense, since cybersecurity education remains in the early stages for most average users.

But it’s also a wake-up call for users worldwide. From macro-based attacks to side-loading Dynamic Link Libraries (DLLs) and running PowerShell scripts, attackers are always looking for new ways to fool security tools and fly under the radar as supposedly legitimate processes.

So how do organizations and individuals beat bank security breaches? If users refuse to click through to malicious email attachments and open files they aren’t expecting, attackers lose their edge. While security tools are constantly evolving to detect errant behavior and correct for the natural instinct of users to trust supposedly urgent emails, better decision-making remains the best defense against evolving malware threats.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today