Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives

08:35 AM
Alexandra Gheorghe
Alexandra Gheorghe
Partner Perspectives
Connect Directly

CryptoWall Makes a Comeback via Malicious Help Files

Hackers use .chm attachments to execute malware on unsuspecting users.

A new spam wave has hit hundreds of mailboxes with malicious .chm attachments to spread the infamous CryptoWall ransomware, malware researchers from Bitdefender Labs found.

Interestingly, hackers have resorted to a less “fashionable,” yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments.

.Chm is an extension of the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. HTML files are compressed and delivered as a binary file with the .chm extension. This format is made of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index, and full text searching.


What Is So Dangerous About Help Files?

These .chm files are highly interactive and run a series of technologies, including JavaScript, which can redirect a user toward an external URL after simply opening a .chm file. Attackers began exploiting .chm files to automatically run malicious payloads once the file is accessed. And it makes perfect sense: The less user interaction, the greater the chances of infection.

The fake incoming fax report email claims to be from a machine in a user’s domain, which leads us to believe the email targets employees from different organizations to infiltrate company networks.

Once the content of the .chm archive is accessed, the malicious code downloads from this location http://*********/putty.exe, saves itself as %temp%\natmasla2.exe, and executes the malware. A command prompt window opens during the process.

CryptoWall is an advanced version of CryptoLocker, a file-encrypting ransomware known for disguising its viral payload as a non-threatening application or file. Its payload encrypts the files of infected computers in an effort to extract money for the decryption key.

Ransomware is one of the most challenging breeds of malware, especially for security companies, which are forced to create increasingly aggressive heuristics to make sure internal data remains private. Learn more about how companies can bolster defenses against ransomware here.

The email blast occurred on the 18th February and targeted a couple hundred users. The spam servers appear to be in Vietnam, India, Australia, the US, Romania, and Spain. After analyzing the recipient domain names, it looks like attackers are after users from around the world, including those in the US, Europe, and Australia.

Bitdefender detects the malware as Trojan.GenericKD.2170937.

How to Prevent Getting Infected with CryptoWall

Bitdefender researchers have made a list of recommendations to prevent CryptoWall infections, including keeping a copy of the data on external drives. Read more about it here. To add extra protection, Bitdefender has also developed the CryptoWall Immunizer, a tool that allows users to immunize their computers and block any file encryption attempt before it happens. Bitdefender recommends users keep their antivirus solution always on and use this tool as an additional layer of protection.

This article is based on spam samples provided courtesy of Bitdefender Spam Researcher Adrian Miron and the technical information provided by Bitdefender Virus Analysts Doina Cosovan and Octavian Minea.

Alexandra fulfills the Security Specialist role for Bitdefender, performing writing duties such as security news for Bitdefender's security blog, as well as marketing and PR materials. She started writing about online security at the dawn of the decade - after 3-years in ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/4/2015 | 12:57:35 PM
Re: Network Drives
I know it can traverse mapped drives, but can it hit the "favorites" from explorer as well? If not we could GPO favorites instead of mapped drives. Thoughts?
User Rank: Author
3/10/2015 | 9:18:51 AM
Re: Network Drives
Hi Ryan,

Network attached storage can also fall victim to ransomware. As long as the user has read/write access to these locations, the crypto-ransomware can iterate through the files on the mounted drives, look for relevant target files, encrypt and overwrite them. From a technical perspective, this approach is no different than writing and deleting files on or from network shares. It's worth mentioning that crypto-ransomware does not use worm-like exploit techiques to jump from one host to another, it just makes use of the functionalities and permissions that are available to the user.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/9/2015 | 10:49:39 PM
Outdated and too insecure?
Like Flash, I'm beginning to wonder if it's time to put JavaScript out to pasture for being so ridiculously unsecure.
User Rank: Ninja
3/9/2015 | 3:26:56 PM
Network Drives
Backups are always smart when it comes to data safety. I normally recommend network drives and frequent backups, however the frequent backups may increase in difficulty the larger the data store is.

My question towards cryptowall and other ransomware is can it encrypt network drives? IE can it traverse the connection from the client to the hardware behind the network drive and encrypt those files? If so, how is this accomplished?
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.