Everything old is new again. More than a decade ago, miscreants pioneered the use of infected CHM files to deliver payloads on unsuspecting Windows users. Recently the scam has taken a very lucrative twist, infecting PCs with CryptoWall ransomware attacks when customers open infected CHM files attached to email messages.
As IDG News Service's Lucian Constantin explained in August, CryptoWall has been spreading since November 2013, but it was largely overshadowed by its more famous kin, CryptoLocker, until the CryptoLocker botnet was taken down in May 2014. As Constantin explains, CryptoWall encrypts the data on a victim's PC and demands a ransom to get the data back:
CryptoWall typically asks victims to pay the ransom in bitcoin cryptocurrency, but earlier variants offered more payment options, including prepaid cards like MoneyPak, Paysafecard, CashU, and Ukash. The ransom amount grows if a victim doesn't pay the ransom within the initial allotted time, which is usually between four and seven days. The CTU [Counter Threat Unit at Dell SecureWorks] researchers observed payments that ranged between $200 and $10,000 in value, the majority of them (64 percent) being of $500.
The culprit: an ancient file format known as Compiled HTML Help. CHM files were introduced in 1997 as a way to simplify navigation in -- and construction of -- Windows help files. CHM was a key feature of Internett Explorer 4, 5, and 6, and Windows 98, 2000, Me, and XP.
In 2004, Microsoft removed the most obvious security problem with CHM files in MS04-023/KB 840315. A year later, MS05-026/KB 896358 blocked access to CHM files on network shares, to thwart another class of malware.
CHM was so bad that Microsoft more or less officially abandoned it with the release of Windows Vista in 2007, but it persists. As recently as a year ago, Microsoft was still publishing official documentation in CHM format. Check out the Lync Server 2013 Documentation that you can download from Microsoft's site.
I was shocked, frankly, to discover that my Windows 8.1 PCs had no problem viewing that Lync Server 2013 Documentation. Double-clicking on the downloaded and unzipped CHM file brings up the ancient Help infrastructure, as you can see in this screenshot, running in Internet Explorer 11.
Bitdefender Chief Security Strategist Cătălin Coșoi, quoted on the Croatian blog Net-security.org, says this latest wave of attacks arrived with a blast of spam delivered in February:
Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim's machine and encrypt its contents -- malicious CHM attachments.
The article goes on to say (without attributing Coșoi directly):
Once the content of the CHM archive is accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process... the spam servers appear to be in Vietnam, India, Australia, U.S., Romania, and Spain.
The article also mentions fake incoming fax report emails, originating "from a machine in the user's domain," but it isn't clear if all the infected pieces of spam were formulated that way.