RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release – ASEC BLOG

MITRE Techniques

• [T1059.001] PowerShell – The decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results. It receives commands from the threat actor’s server, and according to the commands, can perform various malicious behaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.
• [T1218.005] Signed Binary Proxy Execution: Mshta – The mshta command used to be executed directly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling it to be run when the system reboots.
• [T1547.001] Registry Run Keys/Startup Folder – RUN key registration enables persistence; Registry path and command show the mechanism that keeps the malware active after reboot.
• [T1071.001] Web Protocols – The C2 channel uses HTTP endpoints to receive commands and transmit results (e.g., hxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] // Receive the threat actor’s command).
• [T1074.001] Data Staged – Saves the list of files and their properties (name, size, last modified time) to CSV, transmits this file to the C2 server, then deletes it locally.
• [T1560.001] Archive Collected Data – Compresses folders in a certain path, transmits them to the C2 server, then deletes them from the local system.
• [T1112] Modify Registry – Edits the registry via the regedit command.
• [T1053.005] Scheduled Task – Adds a Task Scheduler entry to run at 10-minute intervals.
• [T1041] Exfiltration Over C2 Channel – The malware can upload/download files and transmit information to the C2 server.
• [T1140] Deobfuscate/Decode Files or Information – The payload contains an encoded PowerShell command invoked through a JavaScript in the fetched URL.