CHM Malware Stealing User Information Being Distributed in Korea
AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past. A slight change to the operation process was observed in the recent samples.
- Related Posts
(June 23rd, 2023) Malware Disguised as HWP Document File (Kimsuky)
(March 24th, 2023) OneNote Malware Disguised as Compensation Form (Kimsuky)
(March 13th, 2023) CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
(May 25th, 2022) Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
The overall execution flow is shown in Figure 1. The malware is a type that uses multiple scripts to ultimately send user information and keylog data to the threat actor. Each execution step is explained below.
1. CHM
A help file is displayed when the CHM file is executed (see Figure 2). The file seems to show the same messages used in previous cases. The malicious script within the file is executed simultaneously at this stage, creating and executing a file in the “%USERPROFILE%\Links\Link.ini” path.
2. Link.ini
The Link.ini file is a script file that connects to a certain URL and executes an additional script. The URL format was “list.php?query=1” in previous cases, but it was changed to “bootservice.php?query=1” for this file.
3. bootservice.php?query=1 (Fileless)
The URL contains a malicious script encoded in Base64. The decoded script is the same as the script identified in <Analysis Report on Malware Distributed by the Kimsuky Group>. Its malicious features include exfiltrating user information, creating a malicious script file, and registering as a service.
| System Information | System owner name |
| Computer manufacturer name | |
| Product name | |
| System type | |
| OS version and build number | |
| Available memory size | |
| Current processor speed | |
| List of Files in the Folder | C:\Users\[User]\Desktop |
| C:\Users\[User]\Documents | |
| C:\Users\[User]\Favorites | |
| C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Recent | |
| C:\Program Files | |
| C:\Program Files(x86) | |
| C:\Users\[User]\Downloads | |
| Information on Currently Running Processes | Executed file name |
| ProcessID | |
| SessionID | |
| Anti-malware Information (Code Only, Not Executed) | Product name |
| Supplier path | |
| Unique identifier | |
| Status information |
Table 1. Exfiltrated information
The malicious script is executed under the path “%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\OfficeUpdater_[minute]_[hour]_[day and month].ini”, registered as a service and scheduled to automatically run at 60-minute intervals.
4. OfficeUpdater_[minute]_[hour]_[day and month].ini
This file is registered as a service and runs periodically. It connects to a certain URL and executes an additional script. Similar to step 2, the URL format was “list.php?query=6” but changed to “bootservice.php?query=6”.
5. bootservice.php?query=6 (Fileless)
Similar to step 3, this URL has a malicious script encoded in Base64. The decoded script uses a PowerShell command to connect to a certain URL and execute an additional script. The “InfoKey” and encoded URL information are transmitted as parameters during this step.
6. loggerservice.php?idx=5 (Fileless)
A PowerShell script is at the URL, which decodes and executes an encoded secure string. A comparatively simpler obfuscation method was used in this process for previous cases such as decompress or Base64, but it seems that the threat actor switched to a more complex obfuscation method to evade detection.
The decoded script performs keylogging. It saves the keylogs and clipboard data in the path “%APPDATA%\Microsoft\Windows\Templates\Office_Config.xml” and sends the data to the threat actor. The file is deleted after it is sent.
Examining the execution process of the CHM malware recently discovered being distributed shows that it is very similar to the type that has been mentioned from the past. The malware is believed to be created by the same threat actor responsible for the past cases, likely employing various obfuscation methods to evade detection. As it is being distributed to Korean users, users must practice particular caution and refrain from opening files from unknown sources.
[File Detection]
Dropper/CHM.Generic (2024.04.25.03)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
