chm

Tracking the CHM Malware Using EDR

AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File). Malware Distributed Disguised as a Password File CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a…

Malware Distributed Disguised as a Password File

AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in…

CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)

AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information. Analysis Report on Malware Distributed by the Kimsuky Group – Oct 20, 2022 APT Attack Being Distributed as Windows Help File (*.chm) –…

CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)

ASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being distributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the RedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the command used in this attack. This information, as well as the…

AsyncRAT Being Distributed as Windows Help File (*.chm)

The distribution method of malware has been diversifying as of late. Among these methods, a malware strain that uses the Windows Help file (*.chm) has been on the rise since last year, and has been covered multiple times in ASEC blog posts like the ones listed below. Recently, the distribution of AsyncRAT through CHM has been confirmed. The overall operation process is shown in Figure 1, and each step will be explained below. First, unlike the types covered in the…