AhnLab Security Emergency response Center (ASEC) previously covered CHM-type malware strains impersonating security companies and financial institutes. This post will cover recently identified CHM strains impersonating Korean financial institutes and insurance companies as they were found being distributed to steal information. The distribution occurred on the 17th (Monday), when statements are regularly sent to users whose payment schedule to financial institutes falls on the 25th of each month. It is certainly possible for those who have the same schedule to make a misjudgment and execute the file. AhnLab’s EDR products record in detail the histories of the new malware strains being run due to users’ misconceptions. The damage details and exfiltrated files can also be identified.
https://asec.ahnlab.com/en/?p=55569&preview=true
This post will provide information on the distribution method and details of the CHM malware. It explains how AhnLab’s EDR product records the process from the malware strain being executed from CHM files to the exfiltration behavior of Infostealer.
Figure 1. EDR detection diagramFigure 1 shows the EDR detection diagram when the CHM-type malware was executed. The file hh.exe is a normal Windows program and is a process that executes Windows help files (*.CHM). The subsequent process execution relationship shows the relationship between CMD, a script and command interface process, and alg.exe, an Infostealer.
Figure 2. Detection of CHM decompilationFigure 2 shows the behavior detection of a CHM file being decompiled into the “C:\Users\Public\Libraries” path mentioned in the blog post above. You can see the command line used for decompilation.
Figure 3. Running the created scriptFigure 3 shows a command line that runs “Docs.jse”, the file created through decompilation, with wscript. The content is the same as the script covered in the past blog post.
Figure 4. Registering autorun, and downloading and executing additional malware strainsFigure 4 shows the detection of the malicious behaviors of the executed wscript. It adds a registry key for persistent infection. The name added to the registry and the data can be verified, and these details can be used to take measures against recurrent infection. The history of executing the command line interface cmd with a script after registering to autorun can be seen. Examining the executed command line shows that PowerShell is used to download the malware strain from the distribution site into the TEMP path and run with start.
Figure 5. Infostealer detection details
Figure 6. Malware decompilation detailsFigure 5 shows the EDR behavior detection screen for the downloaded Infostealer and Figure 6 shows the decompilation of this malware strain. It is comparatively small in size and exfiltrates data such as user PC, directory, and browser information. It also has a feature for sending the stolen data in a compressed file format. As shown in the AhnLab EDR product’s detection details (see Figure 5), the compressed file is created in the Public\Pictures path and includes the stolen data. The exfiltrated information is then transmitted to the threat actor’s server.
Beyond the information already discussed, AhnLab EDR provides additional details that aid in tracking stolen information and its destination. It also shows how the malware strain was executed. The method of distributing malware disguised as statements that are sent according to the payment schedule for financial institutes can lead users to make mistakes. AhnLab’s EDR products can be used to check for such threats that may cause harm through a single mistake, and the detection details can be used to form a response.
[Behavior Detection]
Execution/EDR.Malware.M10459
Execution/EDR.Scripting.M11204
Persistence/EDR.Event.M11205
Connection/EDR.Behavior.M2650
Persistence/MDP.Event.M4697
Execution/MDP.Cmd.M4698
[File Detection]
Infostealer/Win.Generic.R5505251906 (2023.07.18.02)
Dropper/CHM.Generic (2023.07.20.00)
[IOC]
aaeb059d62c448cbea4cf96f1bbf9efa
150e53a8c852ac5f23f47aceef452542
59a924bb5cb286420edebf8d30ee424b
0f27c6e760c2a530ee59d955c566f6da
bfe2a0504f7fb1326128763644c88d37
hxxps://tosals[.]ink/kxydo
hxxps://tosals[.]ink/uEH5J.html
hxxps://frotsy[.]lol/cvxxv
hxxps://drilts[.]sbs/zcwq
hxxps://sklims[.]lat/sbjcw
hxxps://skrids[.]cfd/elzal
hxxps://snexby[.]sbs/svbgt
hxxps://snivox[.]lat/craig
hxxps://sutezy[.]mom/nmjnq
hxxps://crilts[.]cfd/cdeeb
hxxps://akriqa[.]xyz/qcknq
hxxps://ppangz[.]mom/mjifi
hxxps://atusay[.]lat/kxydo
hxxps://labimy[.]ink/rskme
AhnLab EDR protects the endpoint environment by delivering behavioral detection, advanced analysis, holistic visibility, and proactive threat hunting. For more information about the product, please visit our official website.
The post Infostealer Distributed via CHM Files appeared first on ASEC BLOG.
Article Link: https://asec.ahnlab.com/en/55585/