The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May.
Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors.

LBTWiz32.exe that is run is a normal program. However, the malicious DLL (LBTServ.dll) created on the same path through DLL hijacking is loaded and starts operating. The malicious DLL creates and executes a malicious VBE file (ReVBShell) in the %TEMP% folder. Figures 2 to 4 show parts of the decoded VBE code.



Like the type mentioned in the previously mentioned post, ReVBShell does not perform malicious behaviors if “ESET Security” products are installed in the system. Otherwise, ReVBShell attempts to connect to C2. Upon being connected to C2, the file can perform the following features:
- VBE Features
Obtaining OS information (“SELECT * FROM Win32_OperatingSystem”)
Obtaining network adapter information (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ”)
Obtaining computer name and domain information
Obtaining information on current processes (SELECT * FROM Win32_Process)
Downloading and running files
WGET features
Recently, there are multiple cases of malware being distributed using CHM in Korea. As it is targeting specific organizations, users in the relevant field should take extra caution and refrain from running files with unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.
[File Detection]
Trojan/Win.ReverseShell.R506553 (2022.07.26.00)
Trojan/HTML.Generic (2022.07.26.00)
Trojan/VBS.Generic (2022.07.26.00)
[IOC]
56b3067c366827e6814c964dd8940c88
058bed5a09c20618897888022fd0116e
e8aa5c0309cbc1966674b110a4afd83a
ckstar.zapto[.]org:443
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] APT Attack Being Distributed as Windows Help File (*.chm) Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm) AgentTesla Distributed Through Windows Help File (*.chm) CHM Malware Types with Anti-Sandbox Technique and Targeting Companies Malicious CHM Being Distributed to Korean Universities […]