Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. Both types were introduced in the ASEC blog in March and May.
The type with the anti-sandbox technique checks the user PC environment before dropping malicious VBE file. The HTML code included in the CHM file is shown below. The code creates and runs normal program (EXE) and malicious DLL file. The malicious DLL created through the DLL hijacking method is loaded and performs actual malicious behaviors. The blog posts mentioned above discuss detailed features of the HTML script.
The loaded malicious DLL checks the user PC environment before performing malicious behaviors. It first checks the number of files within the TEMP folder. If there are less than 18 files, the process is terminated. As a PC that is normally used would have many files in the TEMP folder, the attacker likely added this feature to check whether the PC is a virtual environment.
It then checks the name of the processes that are currently run. The DLL checks if there is a process named “ImagingDevices.exe”. This is a program that is normally run and used for DLL hijacking. The process seems to check if the malicious DLL was run just as the attacker had intended.
The malware performs malicious behaviors after going through all the processes mentioned above. It combines the path of the obfuscated registry to register the program that is currently run on the following RUN key:
It then creates and runs a malicious VBE file (ReVBShell) in the %TEMP% folder. The detailed features and the processes that happen after are discussed in the posts mentioned above.
The CHM type targeting companies check if AhnLab’s process is being run by the EXE file that is ultimately run. The HTML existing within the CHM file is shown below. It creates and runs a malicious EXE file (chmext.exe) in the “c:\\programdata\\chmtemp” folder.
When the chmext.exe file is run, the malware checks the processes that are currently being run for the existence of v3l4sp.exe. If the process v3l43p (V3 Lite) exists, the process is terminated without performing malicious behaviors. As the malware does not operate for individual users using V3 Lite products, it appears that the attacker is targeting users in the company.
The malware performs actual malicious behaviors after checking for AhnLab’s process. As for its malicious behaviors, they are discussed in the blog posts mentioned above. The recently distributed malware strains use various methods including the ones explained in this post to check the virtual environment and company users, meaning they will only operate on actual PCs or their targets.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.