CHM Malware Types with Anti-Sandbox Technique and Targeting Companies

Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. Both types were introduced in the ASEC blog in March and May.

The type with the anti-sandbox technique checks the user PC environment before dropping malicious VBE file. The HTML code included in the CHM file is shown below. The code creates and runs normal program (EXE) and malicious DLL file. The malicious DLL created through the DLL hijacking method is loaded and performs actual malicious behaviors. The blog posts mentioned above discuss detailed features of the HTML script.

HTML included in CHM

The loaded malicious DLL checks the user PC environment before performing malicious behaviors. It first checks the number of files within the TEMP folder. If there are less than 18 files, the process is terminated. As a PC that is normally used would have many files in the TEMP folder, the attacker likely added this feature to check whether the PC is a virtual environment.

Checking files within the TEMP folder

It then checks the name of the processes that are currently run. The DLL checks if there is a process named “ImagingDevices.exe”. This is a program that is normally run and used for DLL hijacking. The process seems to check if the malicious DLL was run just as the attacker had intended.

Checking processes

The malware performs malicious behaviors after going through all the processes mentioned above. It combines the path of the obfuscated registry to register the program that is currently run on the following RUN key:

  • SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Registering RUN key

It then creates and runs a malicious VBE file (ReVBShell) in the %TEMP% folder. The detailed features and the processes that happen after are discussed in the posts mentioned above.

The CHM type targeting companies check if AhnLab’s process is being run by the EXE file that is ultimately run. The HTML existing within the CHM file is shown below. It creates and runs a malicious EXE file (chmext.exe) in the “c:\\programdata\\chmtemp” folder.

HTML included in CHM (2)

When the chmext.exe file is run, the malware checks the processes that are currently being run for the existence of v3l4sp.exe. If the process v3l43p (V3 Lite) exists, the process is terminated without performing malicious behaviors. As the malware does not operate for individual users using V3 Lite products, it appears that the attacker is targeting users in the company.

Checking for AhnLab’s process

The malware performs actual malicious behaviors after checking for AhnLab’s process. As for its malicious behaviors, they are discussed in the blog posts mentioned above. The recently distributed malware strains use various methods including the ones explained in this post to check the virtual environment and company users, meaning they will only operate on actual PCs or their targets.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Dropper/Win.Akdoor.R490564
Dropper/CHM.Akdoor
Trojan/Win.Generic.C5025270
Dropper/Win.Agent.C5028107

[IOC]
e33114a7894a1a284084861eee5f9975
95d914d34e9cb5bd2e5db411ed5345b9
210db61d1b11c1d233fd8a0645946074
619649ce3fc1682c702d9159e778f8fd
bb71af5c5a113a050ff5928535d3465e

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments