Microsoft Help Files: Truly Helpful?
March 28, 2022
We are approaching April Fools’ Day. One company reliably provides a clever way to make me laugh. CHM? Do you know what the acronym means? No. It is a short hand way to say Compiled HTML Help file. CHH becomes CHM. Makes perfect sense to a Softie.
The tickled ribs result from bad actors using the CHM files to deliver malware. You can read the explanation and inspiration for bad actors in “Microsoft Help Files Disguise Vidar Malware.”
The write up states:
… the .ISO file contains a .CHM file named “pss10r.chm.” Towards the end of the file’s code is a snippet of HTML application (HTA) code containing JavaScript that covertly triggers a second file, “app.exe.” This is, in fact, Vidar malware. “One of the objects unpacked from the .CHM is the HTML file ‘PSSXMicrosoftSupportServices_HP05221271.htm’ — the primary object that gets loaded once the CHM pss10r.chm is opened,” according to the Trustwave writeup. “This HTML has a button object which automatically triggers the silent re-execution of the .CHM “pss10r.chm” with mshta.” Mshta is a Windows binary used for executing HTA files.
With the preliminaries out of the way the malware payload downloads, does some house cleaning, and phones home.
Microsoft, the go to solution for compromising security? Maybe. And what about Defender? What about the super smart cyber security systems from big name vendors. Yeah, how about those defenses?
Now we know there is one thing worse than the informational content of Microsoft help files.
Want to guess?
The Register reports that “Microsoft Azure developers targeted by 200 data stealing npm packages.” Not familiar with npm? NPM is a software registry and contains more than 750,000 code packages. Some open source developers use npm to share software. What if an npm code package has been modified so that malicious actions are included?
Yeah.
Stephen E Arnold, March 28, 2022