The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases.
The names of some CHM files that are currently distributed are shown below. It appears they are distributed to managers of national institutions and university professors.
- Filenames Used in Distribution
National Convergence Network spare server maintenance.chm
***** Electronic Attendance-Webpage Professor-Manual Ver1.0.chm
Attachment 1. Instruction on program for checking required time for full-time professors Ver 1.0(Korean).chm
Figures 1 to 3 show the HTML file code included in the malicious CHM file. The script includes a malicious command in a certain id property range, executing malicious commands through the Click() function. It then creates a normal image to make it difficult for users to notice its malicious activities. The method is similar to that of the CHM file introduced in the earlier blog post, but the file that is ultimately run is different.
When the malicious command is executed through the Click() function, it decompiles the CHM file and runs the ImagingDevices.exe file. ImagingDevices.exe is a normal file, but it loads the malicious DLL that was also decompiled using the DLL hijacking method. Looking at the malicious CHM files of the same type that were distributed last year shows that they first loaded quartz.dll from Vias.exe (later changed to load LBTServ.dll from LBTWiz32.exe). The loaded malicious DLL creates a malicious VBE file in the %TEMP% folder and runs it. Figures 4 to 6 show a part of the decoded VBE code. The decoded VBE is ReVBShell. It can access C2 to perform various malicious behaviors depending on the command. It also obtains information about the anti-malware installed on the PC through the WMI query. If the “ESET Security” string exists, it will not perform malicious behaviors.
AhnLab’s ASD infrastructure discovered a log that creates and runs additional malicious files by the attacker after ReVBShell is run and a certain time has passed. The names of the additional malicious files discovered are shown below. You can see that they are disguised as document editing and messenger programs used by many Korean users.
HimTraylcon.exe: Disguised as Hancom Office process (using lowercase L)
HNetComAgent.exe: Disguised as Hancom Office process
KaKaoTalk.exe: Disguised as KakaoTalk process
The 3 files all go through the same process of running the internal data after decoding it. The decoded data fulfill different purposes for each file. It appears HimTraylcon.exe is downloaded in the following URL through ReVBShell.
The decoded HimTraylcon.exe file is a backdoor that can access C2 to receive commands from the attacker, performing additional malicious behaviors such as creating, downloading, and running files. C2 exists in an encoded form. The decoded C2 is as follows:
The decoded KaKaoTalk.exe file was found to be BrowserPasswordDump, a password dump tool. HNetComAgent.exe is a keylogger that creates encoded keylog files in the “C:\Windows\Tasks\”current date.tmp” path. As shown above, the additionally created malicious files may steal user information and cause further damage by using the stolen information.
Besides the files mentioned above, other malicious files that perform various features by commands from the attacker can be created. Users should therefore refrain from opening files with unknown sources. Also, as attackers are distributing files with names targeting certain users, people should be more cautious.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.