Malicious CHM Being Distributed to Korean Universities

The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May.

Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors.

Figure 1. Internal HTM code

LBTWiz32.exe that is run is a normal program. However, the malicious DLL (LBTServ.dll) created on the same path through DLL hijacking is loaded and starts operating. The malicious DLL creates and executes a malicious VBE file (ReVBShell) in the %TEMP% folder. Figures 2 to 4 show parts of the decoded VBE code.

Figure 2. Checking anti-malware products (1)

Figure 3. Checking anti-malware products (2)

Figure 4. Connecting to C2

Like the type mentioned in the previously mentioned post, ReVBShell does not perform malicious behaviors if “ESET Security” products are installed in the system. Otherwise, ReVBShell attempts to connect to C2. Upon being connected to C2, the file can perform the following features:

  • VBE Features
    Obtaining OS information (“SELECT * FROM Win32_OperatingSystem”)
    Obtaining network adapter information (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ”)
    Obtaining computer name and domain information
    Obtaining information on current processes (SELECT * FROM Win32_Process)
    Downloading and running files
    WGET features

Recently, there are multiple cases of malware being distributed using CHM in Korea. As it is targeting specific organizations, users in the relevant field should take extra caution and refrain from running files with unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Trojan/Win.ReverseShell.R506553 (2022.07.26.00)
Trojan/HTML.Generic (2022.07.26.00)
Trojan/VBS.Generic (2022.07.26.00)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

4 2 votes
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] APT Attack Being Distributed as Windows Help File (*.chm) Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm) AgentTesla Distributed Through Windows Help File (*.chm) CHM Malware Types with Anti-Sandbox Technique and Targeting Companies Malicious CHM Being Distributed to Korean Universities […]