Malicious CHM Being Distributed to Korean Universities

The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May.

Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application

Figure 1 shows the code of the HTM file inside the malicious CHM. It appears that the file is distributed with the name “2022_Improving fundamental science research capability_commencement announcement_hosting_plan Ver1.1.chm”. When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors.

Figure 1. Internal HTM code

LBTWiz32.exe that is run is a normal program. However, the malicious DLL (LBTServ.dll) created on the same path through DLL hijacking is loaded and starts operating. The malicious DLL creates and executes a malicious VBE file (ReVBShell) in the %TEMP% folder. Figures 2 to 4 show parts of the decoded VBE code.

Figure 2. Checking anti-malware products (1)

Figure 3. Checking anti-malware products (2)

Figure 4. Connecting to C2

Like the type mentioned in the previously mentioned post, ReVBShell does not perform malicious behaviors if “ESET Security” products are installed in the system. Otherwise, ReVBShell attempts to connect to C2. Upon being connected to C2, the file can perform the following features:

  • VBE Features
    Obtaining OS information (“SELECT * FROM Win32_OperatingSystem”)
    Obtaining network adapter information (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE MACAddress > ”)
    Obtaining computer name and domain information
    Obtaining information on current processes (SELECT * FROM Win32_Process)
    Downloading and running files
    WGET features

Recently, there are multiple cases of malware being distributed using CHM in Korea. As it is targeting specific organizations, users in the relevant field should take extra caution and refrain from running files with unknown sources. AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below.

[File Detection]
Trojan/Win.ReverseShell.R506553 (2022.07.26.00)
Trojan/HTML.Generic (2022.07.26.00)
Trojan/VBS.Generic (2022.07.26.00)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Malicious CHM Being Distributed to Korean Universities appeared first on ASEC BLOG.

Article Link: Malicious CHM Being Distributed to Korean Universities - ASEC BLOG