AgentTesla Being Distributed Through Windows Help File (*.chm)

The ASEC analysis team recently discovered AgentTesla being distributed with a new method. Previously, AgentTesla discussed in multiple ASEC blog posts was distributed by the malicious VBA macro inside PowerPoint files (*.ppt). However, the new method uses Windows Help files (*.chm) to run powershell commands.

The malicious CHM files are distributed as compressed files attached to phishing emails imitating emails sent from DHL, a transport company. As phishing emails disguised as other topics are also being distributed, users need to take caution.

Figure 1. DHL phishing email

Decompressing the attachment shows a malicious CHM file. When the file is run, it creates a normal Help window to make it difficult for users to realize malicious behaviors.

Figure 2. Normal Help window

However, the malicious script included in the internal HTML will perform malicious behaviors. Figures 3 and 4 show the obfuscated HTML including a malicious script, while Figures 5 and 6 show the unobfuscated code. You can see that the unobfuscated code uses a method that is similar to the one applied by malicious CHM files that have been introduced in the blog since March. The code includes a malicious command in a certain id property range and uses the Click() function to automatically run the command.

Figure 3. Obfuscated HTML type 1

Figure 4. Obfuscated HTML type 2

Figure 5. Unobfuscated HTML Type 1

Figure 6. Unobfuscated HTML Type 2

The command run from the script is a powershell type, which accesses certain URLs to download and run additional malicious data. Below is the list of malicious URLs discovered so far. Note that they all use the JPG extension.

  • Download URLs

The data downloaded from the URLs are additional powershell commands. The distribution method discussed previously downloads and runs malicious data through the mshta process when the malicious VBA macro inside the PowerPoint file is run. The data downloaded from the previous method was also powershell commands. The malware type and the execution method were similar as well. Yet the process of downloading data was changed from using the malicious VBA macro inside the PowerPoint file to using the malicious powershell command within the Windows help file.

The downloaded data performs a feature that is identical to the previous method: loading a malicious .NET executable. There are two binaries in total. The first one is AgentTesla which performs malicious behaviors, and the second is Loader which injects the malware into a normal process. They are run after being decompressed by gzip. The Loader decoded in the script runs the Black method of the toooyou class and includes the name of the normal process that will be targeted for injection and compressed AgentTesla binary as execution arguments.

Figure 7. Downloaded malicious powershell command

The following image shows the Black method that is executed. It decompresses AgentTesla and injects it into the RegAsm.exe process. The process allows the info-leaking malware AgentTesla to operate in a fileless form.

Figure 8. Code inside Loader

AgentTesla is a malware type that is ranked top 3 in AhnLab’s weekly malware statistics. It continues to show intricate changes among the malware types using PowerPoint for distribution. As malware types exploiting Windows Help files (*.chm) are on the rise recently, users need to take caution. They should refrain from running files with unknown sources.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/CHM.Agent (2022.05.16.01)
Trojan/CHM.Agent (2022.05.24.00)
Infostealer/Win.AgentTesla.R420346 (2021.05.12.04)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,,

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] AgentTesla Being Distributed Through Windows Help File (*.chm) […]