In March, AhnLab Security Emergency response Center (ASEC) covered a CHM-type malware impersonating security emails from financial institutes. This post will cover the recently identified distribution of CHM-type malware using a similar method of impersonating Korean financial institutes and insurance companies.
The CHM file is in a compressed file (RAR) format. Upon execution, it displays the following help screens. These are all guides disguised as being sent from Korean financial institutes and insurance companies and include content such as “credit card limit,” “results of insurance fee withdrawal,” and “banking contract.”
The malicious script executed at this point is shown below. There are some changes from the script in previously identified CHM files. The Object tag and command are not executed immediately, but rather executed after a string is put together and inserted into a certain id area by the innerHTML property. The use of shortcut objects (ShortCut) and click method are the same as in past cases.
There are a total of 2 commands executed through this script. First, the CHM file is decompiled in the “C:\Users\Public\Libraries” path. Afterward, the file “Docs.jse” is decompiled and created, which is then executed through wscript.
- Command 1: hh,-decompile C:\Users\Public\Libraries [CHM execution path]
- Command 2: wscript,C:\Users\Public\Libraries\Docs.jse P
The script ultimately adds “Docs.jse” to the Run key to maintain persistence. Afterward, a PowerShell command is used to attempt to download additional malicious files. The additional malicious file is downloaded in the “%tmp%\alg.exe” path, but the download URLs are currently unavailable.
- Download URL
A system can suffer great damage from this type of malware since it is capable of performing various malicious acts such as exfiltrating information depending on the type of additionally downloaded malicious files. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.