In March, AhnLab Security Emergency response Center (ASEC) covered a CHM-type malware impersonating security emails from financial institutes. This post will cover the recently identified distribution of CHM-type malware using a similar method of impersonating Korean financial institutes and insurance companies.
The CHM file is in a compressed file (RAR) format. Upon execution, it displays the following help screens. These are all guides disguised as being sent from Korean financial institutes and insurance companies and include content such as “credit card limit,” “results of insurance fee withdrawal,” and “banking contract.”
The malicious script executed at this point is shown below. There are some changes from the script in previously identified CHM files. The Object tag and command are not executed immediately, but rather executed after a string is put together and inserted into a certain id area by the innerHTML property. The use of shortcut objects (ShortCut) and click method are the same as in past cases.
There are a total of 2 commands executed through this script. First, the CHM file is decompiled in the “C:\Users\Public\Libraries” path. Afterward, the file “Docs.jse” is decompiled and created, which is then executed through wscript.
- Command 1: hh,-decompile C:\Users\Public\Libraries [CHM execution path]
- Command 2: wscript,C:\Users\Public\Libraries\Docs.jse P
The file “Docs.jse” is an encoded JavaScript. Its decoded code is shown below. Within this code, the actual strings used for malicious activities are encoded. It seems the threat actor concealed certain strings to evade file-based detection.
The script ultimately adds “Docs.jse” to the Run key to maintain persistence. Afterward, a PowerShell command is used to attempt to download additional malicious files. The additional malicious file is downloaded in the “%tmp%\alg.exe” path, but the download URLs are currently unavailable.
- Download URL
hxxps://ppangz[.]mom/mjifi
hxxps://atusay[.]lat/kxydo
hxxps://labimy[.]ink/rskme
hxxps://crilts[.]cfd/cdeeb
A system can suffer great damage from this type of malware since it is capable of performing various malicious acts such as exfiltrating information depending on the type of additionally downloaded malicious files. In particular, malware that targets specific users in Korea may include content on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.
[File Detection]
Dropper/CHM.Generic (2023.07.20.00)
[Behavior Detection]
Execution/EDR.Malware.M10459
Execution/EDR.Scripting.M11204
Persistence/EDR.Event.M11205
Connection/EDR.Behavior.M2650
Persistence/MDP.Event.M4697
Execution/MDP.Cmd.M4698
[IOC]
aaeb059d62c448cbea4cf96f1bbf9efa
59a924bb5cb286420edebf8d30ee424b
0f27c6e760c2a530ee59d955c566f6da
bfe2a0504f7fb1326128763644c88d37
hxxps://ppangz[.]mom/mjifi
hxxps://atusay[.]lat/kxydo
hxxps://labimy[.]ink/rskme
hxxps://crilts[.]cfd/cdeeb
The post CHM Impersonates Korean Financial Institutes and Insurance Companies appeared first on ASEC BLOG.
Article Link: CHM Impersonates Korean Financial Institutes and Insurance Companies - ASEC BLOG