October 10, 2017 By Douglas Bonderud 2 min read

Another day, another banking Trojan. As reported by Bleeping Computer, a security researcher discovered a Brazilian-based email attack that masquerades as an email from WhatsApp, then runs PowerShell commands to download and install financial malware.

Malicious CHM Files Mask Banking Trojan

While most current malware spam efforts rely on JavaScript (JS) or Visual Basic Script (VBScript) attachments, the newest iteration uses files that claim to be WhatsApp conversation logs. If a user with a Brazilian IP address clicks the embedded link, a zip file containing the malicious CHM — a compiled HTML attachment —is downloaded, which launches the Microsoft HTML Help program (hh.exe) to display the HTML file.

By modifying the legitimate Transmission Control Protocol (TCP) IPv4 help file, attackers embedded an OCX object that launches a PowerShell command. This command connects to a remote URL and downloads the malware package, which is then installed across multiple directories and launches malicious CHM files every half hour to ensure the Trojan is up to date and malware stays active.

This isn’t a new technique — PowerShell-based attacks were first described 12 years ago. However, the method remains successful, with just 16 percent of antivirus programs stopping these emails before they reach corporate networks. On the upside, the Trojan only checks for Brazilian IP addresses, so if connections are outside the area, the malware isn’t installed.

Trust Issues

According to SC Magazine, a more traditional Java archive (JAR)-based attack is also ramping up in Brazil. Victims are phished using a Portuguese message that asks them to open a Boleto invoice, a popular mode of payment in Brazil that is similar to PayPal. This sends them to a RAR library, where a JAR file is downloaded.

Double-clicking this file activates a Java process that downloads the banking Trojan. The attackers attempt to bypass security tools using a legitimate VMware binary, which primes security solutions to trust subsequent library requests.

Beating Bank Security Breaches

While both of these attack vectors are native to Brazil and unlikely to spread outside the country, continual efforts by malicious actors — both reaching back into the past for CHM attacks and looking forward to binary deception — speak to the insatiable appetite for users’ financial data. In this respect, Brazil makes sense, since cybersecurity education remains in the early stages for most average users.

But it’s also a wake-up call for users worldwide. From macro-based attacks to side-loading Dynamic Link Libraries (DLLs) and running PowerShell scripts, attackers are always looking for new ways to fool security tools and fly under the radar as supposedly legitimate processes.

So how do organizations and individuals beat bank security breaches? If users refuse to click through to malicious email attachments and open files they aren’t expecting, attackers lose their edge. While security tools are constantly evolving to detect errant behavior and correct for the natural instinct of users to trust supposedly urgent emails, better decision-making remains the best defense against evolving malware threats.

More from

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today