CHM Malware in Korea: User Information Theft and Distribution

AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past. A slight change to the operation process was observed in the recent samples.

The overall execution flow is shown in Figure 1. The malware is a type that uses multiple scripts to ultimately send user information and keylog data to the threat actor. Each execution step is explained below.

Figure 1. Overall diagram

1. CHM

Figure 2. The help screen created upon running the CHM file

A help file is displayed when the CHM file is executed (see Figure 2). The file seems to show the same messages used in previous cases. The malicious script within the file is executed simultaneously at this stage, creating and executing a file in the “%USERPROFILE%LinksLink.ini” path.

2. Link.ini

Figure 3. Link.ini code

The Link.ini file is a script file that connects to a certain URL and executes an additional script. The URL format was “list.php?query=1” in previous cases, but it was changed to “bootservice.php?query=1” for this file.

3. bootservice.php?query=1 (Fileless)

Figure 4. bootservice.php?query=1 code
Figure 5. A part of the decoded code

The URL contains a malicious script encoded in Base64. The decoded script is the same as the script identified in <Analysis Report on Malware Distributed by the Kimsuky Group>. Its malicious features include exfiltrating user information, creating a malicious script file, and registering as a service.

      System Information System owner name
Computer manufacturer name
Product name
System type
OS version and build number
Available memory size
Current processor speed
      List of Files in the Folder C:Users[User]Desktop
C:Users[User]Documents
C:Users[User]Favorites
C:Users[User]AppDataRoamingMicrosoftWindowsRecent
C:Program Files
C:Program Files(x86)
C:Users[User]Downloads
Information on Currently Running Processes Executed file name
ProcessID
SessionID
Anti-malware Information (Code Only, Not Executed) Product name
Supplier path
Unique identifier
Status information
Table 1. Exfiltrated information

The malicious script is executed under the path “%USERPROFILE%AppDataLocalMicrosoftWindowsTemporary Internet FilesOfficeUpdater_[minute]_[hour]_[day and month].ini”, registered as a service and scheduled to automatically run at 60-minute intervals.

4. OfficeUpdater_[minute]_[hour]_[day and month].ini

Figure 6. OfficeUpdater_[minute]_[hour]_[day and month].ini code

This file is registered as a service and runs periodically. It connects to a certain URL and executes an additional script. Similar to step 2, the URL format was “list.php?query=6” but changed to “bootservice.php?query=6”.

5. bootservice.php?query=6 (Fileless)

Figure 7. bootservice.php?query=6 code
Figure 8. Decoded code

Similar to step 3, this URL has a malicious script encoded in Base64. The decoded script uses a PowerShell command to connect to a certain URL and execute an additional script. The “InfoKey” and encoded URL information are transmitted as parameters during this step.

6. loggerservice.php?idx=5 (Fileless)

Figure 9. loggerservice.php?idx=5 code (1)
Figure 10. loggerservice.php?idx=5 code (2)

A PowerShell script is at the URL, which decodes and executes an encoded secure string. A comparatively simpler obfuscation method was used in this process for previous cases such as decompress or Base64, but it seems that the threat actor switched to a more complex obfuscation method to evade detection.

Figure 11. A part of the decoded code

The decoded script performs keylogging. It saves the keylogs and clipboard data in the path “%APPDATA%MicrosoftWindowsTemplatesOffice_Config.xml” and sends the data to the threat actor. The file is deleted after it is sent.

Examining the execution process of the CHM malware recently discovered being distributed shows that it is very similar to the type that has been mentioned from the past. The malware is believed to be created by the same threat actor responsible for the past cases, likely employing various obfuscation methods to evade detection. As it is being distributed to Korean users, users must practice particular caution and refrain from opening files from unknown sources.

[File Detection]
Dropper/CHM.Generic (2024.04.25.03)

[IOC]
b2c74dbf20824477c3e139b48833041b

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post CHM Malware Stealing User Information Being Distributed in Korea appeared first on ASEC BLOG.

No tags for this post.