Changes Detected in CHM Malware Distribution

AhnLab Security Emergency response Center (ASEC) has previously covered a CHM malware type impersonating Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. This post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.

Figure 1. EDR detection diagram

Figure 1 shows the detection diagram in EDR products on the execution method of the CHM malware impersonating financial institutes and insurance companies. The diagram for the initial distribution is the very top portion of Figure 1 and is included in previously uploaded posts. When the CHM file (Windows help file) is executed, it is run through the hh process. It is then decompiled through a script in the internal HTML file to generate a file. The generated .jse file in turn runs wscript.

This method is the same as the first variant shown in the middle diagram in Figure 1. The difference between the initially distributed form and the first variant is in the .jse file.

Figure 2. Distributed jse script
Figure 3. Variant of the distributed jse script

Figure 2 shows the content of the initially distributed .jse script and Figure 3 shows the script in the first variant. The initially distributed script ran a PowerShell command through CMD for download and execution, which was covered in previous blog posts. The script in the first variant (see Figure 3) has the same process of adding the .jse file to the autorun registry for maintaining persistence, but the execution method differs based on the installation path of AhnLab products. In environments that have AhnLab products installed, the download process occurs through a script and the execution process through the autorun registry. In environments without AhnLab products, execution occurs immediately following the download process. A difference between the top and middle portions of the diagram in Figure 1 occurs due to the difference between Figures 2 and 3.

The diagram at the very bottom of Figure 1 is the second variant. This is the case where the CHM malware directly drops and executes the malware portion. The executed malware strain is developed in .Net and has a similar structure to the initially distributed file, but instead of focusing on exfiltrating information, the malware is for establishing reverse connections like backdoors.

Malware strains that target specific users in Korea may include content on topics of interest to the user to encourage them to execute them, so users should refrain from opening emails from unknown sources and should not open their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.  

[Behavior Detection]

[File Detection]
Infostealer/Win.Generic.R5505251906 (2023.07.18.02)
Dropper/CHM.Generic (2023.07.20.00)
Backdoor/Win.Generic.C5464647 (2023.08.02.03)
Downloader/JS.Obfus (2023.07.28.00)
Trojan/HTML.RUNNER.S2326 (2023.08.02.02)


AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.

Categories:AhnLab Detection

5 1 vote
Article Rating
Notify of

1 Comment
Inline Feedbacks
View all comments

[…] post Changes Detected in CHM Malware Distribution appeared first on ASEC […]