Threat Research

CHM Malware in Korea: User Information Theft and Distribution

Ahnlab

A CHM malware strain suspected of stealing user information is being distributed to Korean users, employing a multi-stage chain from CHM to additional scripts and PowerShell to exfiltrate data and log keystrokes. The operation persists via service and scheduled-task techniques, uses Base64 encoding to obfuscate payloads, and shows ties to the Kimsuky threat actor and past CHM distribution patterns in Korea. #CHM #Kimsuky #AhnLab #PowerShell #Keylogging #SystemInformationDiscovery

Keypoints

  • The CHM malware is designed to steal user information and send it to the threat actor, distributed to Korean users.
  • The campaign uses a multi-stage chain: CHM triggering a Link.ini, which loads bootservice.php and decoded scripts.
  • Scripts are delivered in encoded form (Base64) and decoded client-side, then executed to enable exfiltration and persistence.
  • The malware registers as a Windows service and is scheduled to run at 60-minute intervals for ongoing operation.
  • Keylogging and clipboard data capture occur, with data saved to a local file and then sent to the threat actor before deletion.
  • The campaign shows strong reuse of past Kimsuky activity and obfuscation techniques to evade detection.

    • <liUsers should exercise caution with CHM, LNK, DOC, and OneNote attachments, especially from unknown sources.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The URL contains a malicious script encoded in Base64. ‘The URL contains a malicious script encoded in Base64.’
  • [T1059.001] PowerShell – The decoded script uses a PowerShell command to connect to a certain URL and execute an additional script. ‘The decoded script uses a PowerShell command to connect to a certain URL and execute an additional script.’
  • [T1105] Ingress Tool Transfer – The Link.ini file is a script file that connects to a certain URL and executes an additional script. ‘The Link.ini file is a script file that connects to a certain URL and executes an additional script.’
  • [T1543.003] Create or Modify System Process: Windows Service – The malicious components are registered as a service and run on a schedule. ‘registered as a service and scheduled to automatically run at 60-minute intervals.’
  • [T1053.005] Scheduled Task – The malware is configured to execute periodically via scheduling. ‘scheduled to automatically run at 60-minute intervals.’
  • [T1056.001] Input Capture: Keylogging – The decoded script performs keylogging. ‘The decoded script performs keylogging. It saves the keylogs and clipboard data in the path …Office_Config.xml and sends the data to the threat actor.’
  • [T1115] Clipboard Data – The decoded script saves clipboard data in a local file and transmits it. ‘It saves the keylogs and clipboard data … and sends the data to the threat actor.’
  • [T1082] System Information Discovery – The malware collects extensive system information (owner name, manufacturer, OS, memory, CPU, etc.). ‘Table 1. Exfiltrated information’ and the related system info fields listed in the article.
  • [T1083] File and Directory Discovery – The operation enumerates files and directories (e.g., C:Users[User]Desktop, Documents, etc.). ‘List of Files in the Folder’ with sample directories.

Indicators of Compromise

  • [Hash] MD5 – b2c74dbf20824477c3e139b48833041b
  • [URL] Access points for payload/script delivery – bootservice.php?query=1, list.php?query=1, bootservice.php?query=6, list.php?query=6
  • [File Path] CHM-related dropper/injected script – %USERPROFILE%LinksLink.ini, %USERPROFILE%AppDataLocalMicrosoftWindowsTemporary Internet FilesOfficeUpdater_[minute]_[hour]_[day and month].ini, %APPDATA%MicrosoftWindowsTemplatesOffice_Config.xml

Read more: https://asec.ahnlab.com/en/65245/