AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.
- Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022
- APT Attack Being Distributed as Windows Help File (*.chm) – Mar 17, 2022
- Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm) – May 11, 2022
The CHM file has been compressed and is being distributed as an email attachment. The first email that is sent pretends to be an interview request about matters related to North Korea. If the email recipient accepts the interview, then a password-protected compressed file is sent as an attachment. Not only is this email pretending to be a North Korea-related interview identical to the one previously analyzed, but it also follows the same format of sending the malicious file only when a recipient replies to the email.
- Malware Disguised as Normal Documents (Kimsuky) – Feb 03, 2023
- Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky) – July 26, 2022
When the InterviewQuestionnaire(***).chm file is executed, a help document with actual questions appears as shown below, making it difficult for users to realize that the file is malicious.
The CHM holds a malicious script, and, like the CHM malware covered before, it uses a shortcut object (ShortCut). The shortcut object is called through the Click method and the command in Item1 is executed. The command executed through ‘InterviewQuestionnaire(***).chm’ is as follows.
- Executed Command
cmd, /c echo [Encoded Command] > “%USERPROFILE%\Links\Document.dat & start /MIN certutil -decode “%USERPROFILE%\Links\Document.dat” “%USERPROFILE%\Links\Document.vbs” & start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d “%USERPROFILE%\Links\Document.vbs” /f’
Thus, the encoded command is saved to %USERPROFILE%\Links\Document.dat when the CHM is executed. The command that has been decoded by Certutil is saved to %USERPROFILE%\Links\Document.vbs. The threat actor also registered Document.vbs to the Run key (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) to ensure the malicious script would run persistently. Ultimately, Document.vbs executes the PowerShell script in hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt.
The URL that Document.vbs connects to is currently unavailable, but a script assumed to have been downloaded from this address has been found. The confirmed script file is responsible for intercepting a user’s key inputs before saving them in a certain file and sending that file to the threat actor. In addition to reading the caption of the currently running ForegroundWindow and keylogging, it periodically checks the clipboard contents and saves them to the %APPDATA%\Microsoft\Windows\Templates\Pages_Elements.xml file. Afterward, it sends this file to hxxp://mpevalr.ria[.]monster/SmtInfo/show.php.
As can be seen from Figure 6 and Figure 7, Document.vbs (VBS script file) and demo.txt (PowerShell script file) have the same format as the malware that was analyzed in the ‘Analysis Report on Malware Distributed by the Kimsuky Group’ published on ATIP last year. With this in mind, users should take extreme caution as the Kimsuky group appears to be distributing phishing emails with malware strains in various forms like Word files and CHM.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.