CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. This malware type is the same as the one covered in the following ASEC blog posts and the analysis report on the malware distributed by the Kimsuky group, its goal being the exfiltration of user information.

The CHM file has been compressed and is being distributed as an email attachment. The first email that is sent pretends to be an interview request about matters related to North Korea. If the email recipient accepts the interview, then a password-protected compressed file is sent as an attachment. Not only is this email pretending to be a North Korea-related interview identical to the one previously analyzed, but it also follows the same format of sending the malicious file only when a recipient replies to the email.

Figure 1. Distributed email

Figure 2. Original email

Figure 3. Inside the compressed file

When the InterviewQuestionnaire(***).chm file is executed, a help document with actual questions appears as shown below, making it difficult for users to realize that the file is malicious.

Figure 4. CHM disguised as a questionnaire

The CHM holds a malicious script, and, like the CHM malware covered before, it uses a shortcut object (ShortCut). The shortcut object is called through the Click method and the command in Item1 is executed. The command executed through ‘InterviewQuestionnaire(***).chm’ is as follows.

  • Executed Command
    cmd, /c echo [Encoded Command] > “%USERPROFILE%LinksDocument.dat & start /MIN certutil -decode “%USERPROFILE%LinksDocument.dat” “%USERPROFILE%LinksDocument.vbs” & start /MIN REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /v Document /t REG_SZ /d “%USERPROFILE%LinksDocument.vbs” /f’

Figure 5. Malicious Script within CHM

Thus, the encoded command is saved to %USERPROFILE%LinksDocument.dat when the CHM is executed. The command that has been decoded by Certutil is saved to %USERPROFILE%LinksDocument.vbs. The threat actor also registered Document.vbs to the Run key (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) to ensure the malicious script would run persistently. Ultimately, Document.vbs executes the PowerShell script in hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt.

Figure 6. (Top) A portion of Document.vbs’s code / (Bottom) A portion of the vbs code uncovered in a past report

The URL that Document.vbs connects to is currently unavailable, but a script assumed to have been downloaded from this address has been found. The confirmed script file is responsible for intercepting a user’s key inputs before saving them in a certain file and sending that file to the threat actor. In addition to reading the caption of the currently running ForegroundWindow and keylogging, it periodically checks the clipboard contents and saves them to the %APPDATA%MicrosoftWindowsTemplatesPages_Elements.xml file. Afterward, it sends this file to hxxp://mpevalr.ria[.]monster/SmtInfo/show.php.

Figure 7. (Top) A portion of demo.txt / (Bottom) A portion of the PowerShell script code from a past report

As can be seen from Figure 6 and Figure 7, Document.vbs (VBS script file) and demo.txt (PowerShell script file) have the same format as the malware that was analyzed in the ‘Analysis Report on Malware Distributed by the Kimsuky Group’ published on ATIP last year. With this in mind, users should take extreme caution as the Kimsuky group appears to be distributing phishing emails with malware strains in various forms like Word files and CHM.

[File Detection]
Dropper/CHM.Generic (2023.03.07.00)
Data/BIN.Encoded (2023.03.07.00)
Downloader/VBS.Agent.SC186747 (2023.03.07.00)
Trojan/PowerShell.Agent.SC186246 (2023.02.09.00)

[Behavior Detection]
Execution/MDP.Cmd.M4230

[IOC]
MD5
726af41024d06df195784ae88f2849e4 (chm)
0f41d386e30e9f5ae5be4a707823fd78 (dat)
89c0e93813d3549efe7274a0b9597f6f (vbs)
9f560c90b7ba6f02233094ed03d9272e

C2
hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt
hxxp://mpevalr.ria[.]monster/SmtInfo/show.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/49295/