AsyncRAT Being Distributed as Windows Help File (*.chm)

The distribution method of malware has been diversifying as of late. Among these methods, a malware strain that uses the Windows Help file (*.chm) has been on the rise since last year, and has been covered multiple times in ASEC blog posts like the ones listed below.

Recently, the distribution of AsyncRAT through CHM has been confirmed. The overall operation process is shown in Figure 1, and each step will be explained below.

Figure 1. Overall operation process

First, unlike the types covered in the past, a blank Help screen is created when the CHM file is executed.

Figure 2. CHM execution screen

The contents of the malicious script that is run under the noses of users can be seen in Figure 3. It clearly has a simpler structure compared to previous types. This script uses mshta to execute a malicious command that exists in the address “hxxps://[.]br/plmckv.hta”.

Figure 3. Malicious script within the CHM
Figure 4. Process tree

A malicious VBScript exists within this address and a portion of its command is shown in Figure 5. The malicious VBScript has fragmented strings to evade detection, and is responsible for executing PowerShell commands.

Figure 5. Malicious VBScript

There are 2 PowerShell commands that are executed. The commands respectively download and execute the vbs and hta files from the following URL.

  • Download URL
    hxxp://[.]br/vvvvv.txt (C:\ProgramData\v.vbs)
    hxxps://[.]br/serverhta.hta (C:\ProgramData\v.hta)

1. v.vbs

First, as shown in Figure 6, the v.vbs file is obfuscated to the point of being incomprehensible.

Figure 6. Part of the v.vbs code

The PowerShell command can be seen once it is unobfuscated. This command loads a .NET DLL that is encoded within the script. This DLL receives malicious data from the URL that is transmitted to the loader file as an argument and loads it in the memory.

Figure 7. Part of the unobfuscated command
Figure 8. DLL load command

The loaded DLL receives the reversed malicious URL as an argument. It then downloads additional data from the URL before loading and executing it in the “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe” process.

  • Download URL
Figure 9. Loader

The data that has been downloaded and executed by the loader is what performs the actual malicious behavior. This data is AsyncRat, an open-source RAT malware publicly available on GitHub. This malware is capable of performing various malicious behaviors by receiving commands from the threat actor through their C2. The default features include Anti-VM, keylogging, and remote shell. Additionally, it possesses the strings necessary for malicious C2 and porting behaviors but in an encrypted form. It is then decrypted like in Figure 10 and used.

  • C2
Figure 10. AsyncRAT

2. v.hta

v.hta is capable of executing additional commands and creating startup programs. Its first feature of executing additional commands is done by receiving them from the URL below through a PowerShell command.

  • Download URL
Figure 11. Part of the v.hta code when executing an additional command

The additional command downloads data from the two respective URLs with a PowerShell command and executes one of them like in Figure 12. At this stage, the path “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe” and the remaining data are transmitted as arguments. Currently, the first URL is inaccessible, so the exact process cannot be checked. However, the downloaded data is assumed to be a loader. It is presumed that the remaining data is injected into a normal process that is transmitted as an argument through the loader. This is a common method that malware strains use to evade behavior detection.

  • Download URL
    hxxps://[.]br/printa.txt (Infostealer)
    hxxps://[.]br/runpe.jpg (Loader 추정)
Figure 12. Additional command

The data assumed to be injected and executed has been identified as an Infostealer. As shown in Figure 13, this malware is capable of taking screenshots of a user’s PC screen and sending them to the threat actor via SMTP.

Figure 13. Screenshots being sent

The second feature that v.hta is capable of is creating startup programs. An LNK file is created in the following directory and configured to run the v.vbs file. Additionally, it uses the icon of a normal file (C:\Program Files (x86)\Internet Explorer\iexplore.exe) for the shortcut icon to avoid suspicion.

  • LNK file creation path
    %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Viual Frontal Hotel.lnk
Figure 14. Part of the v.hta code to create startup program
Figure 15. Properties of the created LNK file

Recently, malware is being distributed in various forms such as CHM. A majority of these malware strains use normal processes when loading their malicious data in order to avoid detection.  Moreover, the malware is being executed in fileless format, making it difficult the for users to identify what type of malware was executed. Users should refrain from opening files from unknown sources and must run periodic checkups on their PC.

[File Detection]
Trojan/Win.Generic.C5303722 (2022.11.12.01)
Malware/Win32.RL_Generic.C4363035 (2021.03.06.01)
Trojan/Win.Agent.C4526491 (2021.06.30.03)
Downloader/CHM.Generic (2023.02.02.00)
Downloader/HTML.Generic (2023.02.02.00)
Downloader/VBS.Generic (2023.02.02.00)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating

Inline Feedbacks
View all comments