CryptoWall Is Back – Beware Infected “Help” Files

A new wave of ransomware attacks are using .chm attachments to execute malware that encrypts files on infected machines. The files remain locked until a ransom is paid in bitcoin currency. And all it takes is one careless employee’s click to infect a network.

.chm is the file extension used by the Compiled HTML file format, once widely utilized to deliver user manuals in digital format. These help files contain compressed HTML documents, images and JavaScript files, a hyperlinked table of contents, an index, and are fully searchable. Due to their interactive nature, and the fact that CHM files can carry malicious payloads without being detected by antivirus software, .chm files were once among the favored tools of malicious hackers.

The legitimate .chm help manual delivery method has been largely replaced by PDF files now, and many users have never seen a .chm file. But they’re back now.

CryptoWall, and its buddy CryptoLocker, have themselves been in circulation for a while. The most recent infected email blast occurred on the 18th February and targeted several hundred users.

The new exploit method works like this: users get an email claiming to be an “Incoming Fax Report”. Attached to the email is a .chm file. When the file opens, a help window is displayed. But meanwhile, in the background, a bit of malicious code is downloading the CryptoWall ransomware from a remote server and executing it.

Currently the exploit is being delivered via a fake incoming fax report email which claims to be from a machine in a user’s domain. Those who open the attachment almost certainly aren’t thinking that the .chm is a help file –they just want to view the purported fax.

Given that the email and attached fax are set up so that they appear to originate from within the user’s own company network, it seems highly likely that the infected email is deliberately targeting employees in order to infiltrate company networks.

IT for retailers, financial institutions, and other high security risk profile organizations should alert their users ASAP. Obviously, IT should also remind users that attack tactics change – just because an email doesn’t claim to contain a fax, it doesn’t mean that its attachment is safe to open.

If you struggle to engage users in understanding security best practices, look to BAI’s Security Awareness Training. We utilize a unique approach to adult learning, setting a new standard in efficacy and knowledge retention.

Along with training, ensure that your backup processes are robust enough to withstand an attack that results in unsanctioned encryption of critical data. Review your disaster recovery plan. Implement anti-spam filters.

BitDefender offers some additional excellent CryptoLocker/Wall tips here. Their suggestions include:

  • Use an antivirus solution that’s constantly updated and able to perform active scanning
  • Schedule file backups – either locally or in the cloud – so data can be recovered in case of corruption
  • Follow safe internet practices by not visiting questionable websites, not clicking links or opening attachments in emails from uncertain sources, and not providing personally identifiable information on public chats rooms or forums
  • Implement / enable ad-blocking capacities and anti-spam filters
  • Virtualize or completely disable Flash, as it has been repeatedly used as an infection vector

Of course, the best defense against any security threat is always a proactive one. BAI Security’s Risk Assessments evaluate an organization’s existing policies and procedures against applicable security best practices. The audit identifies reasonably foreseeable risks that could lead to service interruption or unauthorized disclosure, misuse, alteration, or destruction of confidential information.

Posted in BAI Security Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *