Threat Research

Kimsuky Distributing CHM Malware Under Various Subjects – ASEC BLOG

Securonix

ASEC tracked the Kimsuky group’s use of CHM files for malware distribution in May, applying a variety of subject topics to deceive targets. The CHM payload executes malicious scripts via a shortcut object, downloads additional components, and exfiltrates user data to a C2 server, with targets ranging from tax to contracts. #Kimsuky #CHM

Keypoints

  • CHM-based distribution was prominent in May, with topics ranging from cryptocurrency to tax and contracts.
  • File names used in distribution included examples like “(Coinone)Client Transaction Confirmation.chm” and “202305050017 Order Sheet (1).chm.”
  • The CHM payload shows a disguised help window and executes malicious scripts hidden inside.
  • Malicious actions are performed through a shortcut object invoked via Click, with commands encoded and decoded during execution.
  • Persistent execution is achieved by registering components in Run keys and downloading additional payloads (BAT and CAB files).
  • The operation collects and exfiltrates user information (desktop files, IP, system info) to a C2 URL, and downloads further scripts based on target data.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – CHM attachments used for distribution. “The CHM malware in distribution generates a normal help window upon execution and performs malicious behaviors through the malicious script inside.”
  • [T1027] Obfuscated/Decoded Data – Commands are encoded and decoded via certutil. “start /MIN certutil -decode “%USERPROFILE%Linksoeirituttvv.dat” “%USERPROFILE%Linksoeirituttvv.vbs””
  • [T1059.003] Windows Command Shell – The attacker runs commands via cmdline. “cmd, /c start /MIN REG ADD HKCUSO…”
  • [T1059.005] VBScript – VBScript/CScript-based execution flows. “oeirituttbb.vbs is a runner that runs the oeirituttvv.bat file created with it.”
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys – Persistence via Run key. “Registers oeirituttbb.vbs to the RUN key to enable it to run continuously.”
  • [T1105] Ingress Tool Transfer – Download of additional malicious files. “Two files are downloaded: a BAT file and a CAB file.”
  • [T1082] System Information Discovery – Collecting system info during exfiltration. “Collects user information” (Table 3 shows data like Desktop files, IP, system info).
  • [T1005] Data From Local System – Exfiltration of local data (cudk.txt, ipif.txt, stif.txt). “Exfiltrated information” (Table 3).
  • [T1041] Exfiltration Over C2 Channel – Data sent to C2 URL. “sends the collected information along with the PC name to ‘hxxp://vndjgheruewy1[.]com/uun06/uwpp.php’.”

Indicators of Compromise

  • [File Hash] – b5a873ee6b839cbd03789115fc3ae944, 9861999409cdbc1f7c4c1079d348697c, and 8 more hashes
  • [Domain] – hxxp://vndjgheruewy1[.]com/uun06/uwpp.php, hxxp://vndjgheruewy1[.]com/jun06/dw_%COMPUTERNAME%.dat
  • [Domain] – vndjgheruewy1[.]com (C2/Download URLs)
  • [File Name] – oeirituttbb.vbs, oeirituttvv.bat (and 8 more names)
  • [URL] – hxxp://vndjgheruewy1[.]com/tnd/pung03.txt, hxxp://vndjgheruewy1[.]com/tnd/qung03.txt

Read more: https://asec.ahnlab.com/en/54678/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint