AhnLab Security Emergency response Center (ASEC) has previously covered a CHM malware type impersonating Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. This post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.
Figure 1. EDR detection diagramFigure 1 shows the detection diagram in EDR products on the execution method of the CHM malware impersonating financial institutes and insurance companies. The diagram for the initial distribution is the very top portion of Figure 1 and is included in previously uploaded posts. When the CHM file (Windows help file) is executed, it is run through the hh process. It is then decompiled through a script in the internal HTML file to generate a file. The generated .jse file in turn runs wscript.
This method is the same as the first variant shown in the middle diagram in Figure 1. The difference between the initially distributed form and the first variant is in the .jse file.
Figure 2. Distributed jse script
Figure 3. Variant of the distributed jse scriptFigure 2 shows the content of the initially distributed .jse script and Figure 3 shows the script in the first variant. The initially distributed script ran a PowerShell command through CMD for download and execution, which was covered in previous blog posts. The script in the first variant (see Figure 3) has the same process of adding the .jse file to the autorun registry for maintaining persistence, but the execution method differs based on the installation path of AhnLab products. In environments that have AhnLab products installed, the download process occurs through a script and the execution process through the autorun registry. In environments without AhnLab products, execution occurs immediately following the download process. A difference between the top and middle portions of the diagram in Figure 1 occurs due to the difference between Figures 2 and 3.
The diagram at the very bottom of Figure 1 is the second variant. This is the case where the CHM malware directly drops and executes the malware portion. The executed malware strain is developed in .Net and has a similar structure to the initially distributed file, but instead of focusing on exfiltrating information, the malware is for establishing reverse connections like backdoors.
Malware strains that target specific users in Korea may include content on topics of interest to the user to encourage them to execute them, so users should refrain from opening emails from unknown sources and should not open their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.
[Behavior Detection]
InitialAccess/MDP.Event.4363
InitialAccess/MDP.CHM.M10720Execution/EDR.Malware.M10459
Execution/EDR.Scripting.M11204
Persistence/EDR.Event.M11205
Connection/EDR.Behavior.M2650
Persistence/MDP.Event.M4697
Execution/MDP.Cmd.M4698
[File Detection]
Infostealer/Win.Generic.R5505251906 (2023.07.18.02)
Dropper/CHM.Generic (2023.07.20.00)
Backdoor/Win.Generic.C5464647 (2023.08.02.03)
Downloader/JS.Obfus (2023.07.28.00)
Trojan/HTML.RUNNER.S2326 (2023.08.02.02)
[IOC]
056932151e3cc526ebf4ef5cf86ae0b4
258472c79fc3b9360ad560e26350b756
8d39335e67e797ad66c3953c3d6203ce
790c5f50942a502252a00b9878db9496
7c949f375c56e7de7a3c4f0a9a19c4e5
https[:]//atusay.lat/kxydo
https[:]//zienk.sbs/kjntf
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Changes Detected in CHM Malware Distribution appeared first on ASEC BLOG.
Article Link: Changes Detected in CHM Malware Distribution - ASEC BLOG