Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea

The ASEC analysis team introduced readers to malware that takes the form of a Windows help file (*.chm) about two weeks ago. The malicious CHM file that was recently discovered is disguised as a notice for people infected with COVID-19 and is being distributed to Korean users. The attacker is probably distributing the file in such a form because Korea has recently seen a surge in COVID-19 case numbers.

The name of the file that is being distributed is shown below. When a user runs the malicious CHM file, an additional file is executed. In this instance, a COVID-19 Infectee notice is created, making it difficult for the user to realize that a malicious file has just been run.

  • Distributed Filename
    Notice for Infectee and Cohabitants (50).chm
Fake COVID-19 infectee notice

Furthermore, as the simplified URL included in the notice redirects the user to a normal website, it becomes harder for the user to be aware of the malicious activities that take place.

Redirected normal website

Examining the code of the HTML file that exists within the malicious CHM file reveals the existence of the script shown below. The script inserts a script inside the section of a specific id attribute and runs the malicious command via the Click() function. When the malicious command is run, it decompiles the CHM file through the hh.exe process and creates files in the “c:\\programdata\\chmtemp” folder. The hh.exe process is an HTML help executable that runs the compiled help (*.chm) file or provides various functions such as exploring the help file. Afterward, the decompiled chmext.exe file is executed.

Malicious script

The chmext.exe file is the same type as the data injected into the Word process introduced in the blog post below. Seeing how the chmext.exe file drops IntelRST.exe into the “%ProgramData%\Intel” folder when it is executed, the attacker of this case appears to be the same person that distributed the file in the previous post.

The IntelRST.exe file that is dropped and executed is also of the same type:  the features of process scan, RUN key registration, UAC Bypass, and Windows Defender exclusion settings are all the same. Afterward, it tries to access hxxps://dl.dropboxusercontent[.]com/s/k288s9tu2o53v41/zs_url.txt?dl=0, but as of right now, access to this URL is blocked. It appears that the attacker receives an additional URL from this URL to perform malicious activities.

As malicious Windows help files (*.chm) targeting Korean users are recently being discovered in large numbers, users must take extreme caution. Furthermore, we recommend that users refrain from running files with unknown sources.

AhnLab’s anti-malware product, V3, detects the malware using the alias below.

[File Detection]
Dropper/CHM.Akdoor (2022.03.31.02)
Trojan/Win.Generic.C5025270 (2022.03.23.02)
Dropper/Win.Agent.C5028107 (2022.03.25.03)

[IOC]
210db61d1b11c1d233fd8a0645946074
619649ce3fc1682c702d9159e778f8fd
bb71af5c5a113a050ff5928535d3465e
hxxps://dl.dropboxusercontent[.]com/s/k288s9tu2o53v41/zs_url.txt?dl=0

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea […]