CHM Files Used To Install Trojan Malware
A recent spam campaign is delivering trojans via malicious Compiled HTML (CHM) files. The current phishing campaign, used to lure users into downloading the trojan malware, is using WhatsApp, a popular messaging service as a cover for its malicious intent.
CHM usually consist of HTML pages, indexing, and other navigation tools. Their main purpose is to provide help to a user, however cyber-criminals are using them to execute malicious code via PowerShell commands.
When the command is run, it will launch a script to download the malicious files onto the user’s system. The files are placed in a created folder named Paladium, under C:\ProgramData. A task is also scheduled to launch the malicious files every one and a half hours and download new versions of the Trojan.
Affected Platforms:
Microsoft Windows – all versions
Resolution:
To prevent and detect a trojan infection, ensure that:
- A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
- All operating systems, antivirus and other security products are kept up to date.
- All day to day computer activities such as email and internet are performed using non-administrative accounts.
- Strong password policies are in place and password reuse is discouraged.
- Network, proxy and firewall logs should be monitored for suspicious activity.
- User accounts accessed from infected machines should be reset on a clean computer
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.