Sneaky new spyware is hiding in Microsoft help files – What to watch for

March 26, 2022

By Kim Komando

Phishing scams are some of the most prevalent schemes cybercriminals have up their sleeves these days. These attacks can come in many forms including phone calls, text messages and emails.

A current trend is spoofing high-profile companies to trick you into thinking you’re dealing with someone that you do business with. A recent example is when criminals sent emails pretending to be invites to Zoom meetings. Tap or click here for details on this sneaky trick.

Now, cybercriminals are using spoofed Microsoft emails to try and infect your device with spyware. Keep reading to find out how they’re doing it and ways to stay protected.

Here’s the backstory

Microsoft’s Windows comes with a variety of helpful hints and suggestions. But when things get more complex than usual, you can open help files for guidance. The most common is a Microsoft Compiled HTML Help (CHM) file. It can include images, text, tables and links.

When used for its intended purpose, it looks similar to an outdated web page. But security researchers at Trustwave discovered that cybercriminals exploit the CHM capabilities to launch spyware attacks.

Criminals embed the Vidar spyware into a CHM file to bypass antivirus software and email scanners. When opened on a Windows computer, the operating system assumes it is a valid file and inadvertently triggers the spyware.

Vidar is used for a variety of nefarious activities but is most notable for stealing your data, app and service login details and cryptocurrency accounts. It also gathers information about your computer and operating system.

What you can do about it

Trustwave explains that the infected help files are being spread through email phishing campaigns in a blog post. The email’s subject line and body text are relatively benign and often try to draw your attention to download an attached file.

The file name is the same in most cases (request.doc) but is actually an executable attachment. If you click on it, your device will be infected with malware.

Here are some tips on how to stay safe from phishing emails:

Keep reading

Phone hacked? Apple says it will alert you if your iPhone is infected with spyware

FTC just banned a spyware app with 1M downloads – How to know if it’s on your phone

https://www.komando.com/tips/cybersecurity/microsoft-help-files-spyware/