Malicious CHM Being Distributed to Korean Universities

The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May.

Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors.

Figure 1. Internal HTM code

LBTWiz32.exe that is run is a normal program. However, the malicious DLL (LBTServ.dll) created on the same path through DLL hijacking is loaded and starts operating. The malicious DLL creates and executes a malicious VBE file (ReVBShell) in the %TEMP% folder. Figures 2 to 4 show parts of the decoded VBE code.

Figure 2. Checking anti-malware products (1)

Figure 3. Checking anti-malware products (2)

Figure 4. Connecting to C2

Like the type mentioned in the previously mentioned post, ReVBShell does not perform malicious behaviors if “ESET Security” products are installed in the system. Otherwise, ReVBShell attempts to connect to C2. Upon being connected to C2, the file can perform the following features:

  • VBE Features
    Obtaining OS information (“SELECT * FROM Win32_OperatingSystem”)
    Obtaining network adapter information (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ”)
    Obtaining computer name and domain information
    Obtaining information on current processes (SELECT * FROM Win32_Process)
    Downloading and running files
    WGET features

Recently, there are multiple cases of malware being distributed using CHM in Korea. As it is targeting specific organizations, users in the relevant field should take extra caution and refrain from running files with unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Trojan/Win.ReverseShell.R506553 (2022.07.26.00)
Trojan/HTML.Generic (2022.07.26.00)
Trojan/VBS.Generic (2022.07.26.00)

[IOC]
56b3067c366827e6814c964dd8940c88
058bed5a09c20618897888022fd0116e
e8aa5c0309cbc1966674b110a4afd83a
ckstar.zapto[.]org:443

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

4 2 votes
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments