The ASEC analysis team introduced readers to malware that takes the form of a Windows help file (*.chm) about two weeks ago. The malicious CHM file that was recently discovered is disguised as a notice for people infected with COVID-19 and is being distributed to Korean users. The attacker is probably distributing the file in such a form because Korea has recently seen a surge in COVID-19 case numbers.
The name of the file that is being distributed is shown below. When a user runs the malicious CHM file, an additional file is executed. In this instance, a COVID-19 Infectee notice is created, making it difficult for the user to realize that a malicious file has just been run.
- Distributed Filename
Notice for Infectee and Cohabitants (50).chm
Furthermore, as the simplified URL included in the notice redirects the user to a normal website, it becomes harder for the user to be aware of the malicious activities that take place.
Examining the code of the HTML file that exists within the malicious CHM file reveals the existence of the script shown below. The script inserts a script inside the section of a specific id attribute and runs the malicious command via the Click() function. When the malicious command is run, it decompiles the CHM file through the hh.exe process and creates files in the “c:\\programdata\\chmtemp” folder. The hh.exe process is an HTML help executable that runs the compiled help (*.chm) file or provides various functions such as exploring the help file. Afterward, the decompiled chmext.exe file is executed.
The chmext.exe file is the same type as the data injected into the Word process introduced in the blog post below. Seeing how the chmext.exe file drops IntelRST.exe into the “%ProgramData%\Intel” folder when it is executed, the attacker of this case appears to be the same person that distributed the file in the previous post.
The IntelRST.exe file that is dropped and executed is also of the same type: the features of process scan, RUN key registration, UAC Bypass, and Windows Defender exclusion settings are all the same. Afterward, it tries to access hxxps://dl.dropboxusercontent[.]com/s/k288s9tu2o53v41/zs_url.txt?dl=0, but as of right now, access to this URL is blocked. It appears that the attacker receives an additional URL from this URL to perform malicious activities.
As malicious Windows help files (*.chm) targeting Korean users are recently being discovered in large numbers, users must take extreme caution. Furthermore, we recommend that users refrain from running files with unknown sources.
AhnLab’s anti-malware product, V3, detects the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.