The distribution method of malware has been diversifying as of late. Among these methods, a malware strain that uses the Windows Help file (*.chm) has been on the rise since last year, and has been covered multiple times in ASEC blog posts like the ones listed below.
- APT Attack Being Distributed as Windows Help File (*.chm)
- Malicious Help File Disguised as COVID-19 Infectee Notice Being Distributed in Korea
- Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application
- Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm)
- AgentTesla Distributed Through Windows Help File (*.chm)
- CHM Malware Types with Anti-Sandbox Technique and Targeting Companies
- Malicious CHM Being Distributed to Korean Universities
Recently, the distribution of AsyncRAT through CHM has been confirmed. The overall operation process is shown in Figure 1, and each step will be explained below.
First, unlike the types covered in the past, a blank Help screen is created when the CHM file is executed.
The contents of the malicious script that is run under the noses of users can be seen in Figure 3. It clearly has a simpler structure compared to previous types. This script uses mshta to execute a malicious command that exists in the address “hxxps://2023foco.com[.]br/plmckv.hta”.
A malicious VBScript exists within this address and a portion of its command is shown in Figure 5. The malicious VBScript has fragmented strings to evade detection, and is responsible for executing PowerShell commands.
There are 2 PowerShell commands that are executed. The commands respectively download and execute the vbs and hta files from the following URL.
- Download URL
First, as shown in Figure 6, the v.vbs file is obfuscated to the point of being incomprehensible.
The PowerShell command can be seen once it is unobfuscated. This command loads a .NET DLL that is encoded within the script. This DLL receives malicious data from the URL that is transmitted to the loader file as an argument and loads it in the memory.
The loaded DLL receives the reversed malicious URL as an argument. It then downloads additional data from the URL before loading and executing it in the “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe” process.
- Download URL
The data that has been downloaded and executed by the loader is what performs the actual malicious behavior. This data is AsyncRat, an open-source RAT malware publicly available on GitHub. This malware is capable of performing various malicious behaviors by receiving commands from the threat actor through their C2. The default features include Anti-VM, keylogging, and remote shell. Additionally, it possesses the strings necessary for malicious C2 and porting behaviors but in an encrypted form. It is then decrypted like in Figure 10 and used.
v.hta is capable of executing additional commands and creating startup programs. Its first feature of executing additional commands is done by receiving them from the URL below through a PowerShell command.
- Download URL
The additional command downloads data from the two respective URLs with a PowerShell command and executes one of them like in Figure 12. At this stage, the path “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe” and the remaining data are transmitted as arguments. Currently, the first URL is inaccessible, so the exact process cannot be checked. However, the downloaded data is assumed to be a loader. It is presumed that the remaining data is injected into a normal process that is transmitted as an argument through the loader. This is a common method that malware strains use to evade behavior detection.
- Download URL
hxxps://2023foco.com[.]br/runpe.jpg (Loader 추정)
The data assumed to be injected and executed has been identified as an Infostealer. As shown in Figure 13, this malware is capable of taking screenshots of a user’s PC screen and sending them to the threat actor via SMTP.
The second feature that v.hta is capable of is creating startup programs. An LNK file is created in the following directory and configured to run the v.vbs file. Additionally, it uses the icon of a normal file (C:\Program Files (x86)\Internet Explorer\iexplore.exe) for the shortcut icon to avoid suspicion.
- LNK file creation path
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Viual Frontal Hotel.lnk
Recently, malware is being distributed in various forms such as CHM. A majority of these malware strains use normal processes when loading their malicious data in order to avoid detection. Moreover, the malware is being executed in fileless format, making it difficult the for users to identify what type of malware was executed. Users should refrain from opening files from unknown sources and must run periodic checkups on their PC.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.