Threat Research

CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky) – ASEC BLOG

Securonix

A CHM-based malware campaign attributed to the Kimsuky group has been identified, delivered via password-protected email attachments disguised as North Korea-related interview requests to exfiltrate user data. The malware uses a shortcut object to execute commands, persists via Run registry keys, and retrieves a PowerShell script from a remote server to perform keylogging and clipboard data theft before exfiltrating over HTTP.

Keypoints

  • The CHM malware is distributed as a compressed email attachment and mimics a North Korea-related interview request.
  • The attack chain relies on a shortcut object to trigger the malicious command sequence.
  • Persistence is achieved by adding a Run key entry to execute the VBScript on startup.
  • A VBScript launches a PowerShell script downloaded from a remote server for further stages.
  • Keylogging and clipboard data collection are performed and exfiltrated to a C2 server via HTTP.
  • Multiple IOCs include MD5 hashes of dropped/decoded components and the C2/download URLs.
  • The campaign aligns with Kimsuky’s phishing-driven malware distribution observed in prior analyses.

MITRE Techniques

  • [T1566.001] Phishing – The CHM file has been compressed and is being distributed as an email attachment. The first email that is sent pretends to be an interview request about matters related to North Korea. ‘The CHM file has been compressed and is being distributed as an email attachment. The first email that is sent pretends to be an interview request about matters related to North Korea.’
  • [T1023] Shortcut Modification – The shortcut object is called through the Click method and the command in Item1 is executed. ‘The shortcut object is called through the Click method and the command in Item1 is executed.’
  • [T1547.001] Boot or Logon Autostart Execution – The threat actor registered Document.vbs to the Run key to ensure persistent execution. ‘registered Document.vbs to the Run key (HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun) to ensure the malicious script would run persistently.’
  • [T1059.001] PowerShell – Document.vbs executes the PowerShell script downloaded from a remote URL. ‘Document.vbs executes the PowerShell script in hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt.’
  • [T1105] Ingress Tool Transfer – The malware downloads a PowerShell script from a remote server for execution. ‘PowerShell script in hxxp://mpevalr.ria[.]monster/SmtInfo/demo.txt.’
  • [T1071.001] Web Protocols – Data is exfiltrated to a remote server over HTTP/HTTPS. ‘sends this file to hxxp://mpevalr.ria[.]monster/SmtInfo/show.php.’
  • [T1056.001] Keylogging – The script intercepts the user’s keystrokes. ‘intercepting a user’s key inputs before saving them in a certain file.’
  • [T1115] Clipboard Data – The malware periodically checks the clipboard and saves data for exfiltration. ‘periodically checks the clipboard contents and saves them to the %APPDATA%MicrosoftWindowsTemplatesPages_Elements.xml file.’

Indicators of Compromise

  • [MD5] context – 726af41024d06df195784ae88f2849e4, 0f41d386e30e9f5ae5be4a707823fd78, 89c0e93813d3549efe7274a0b9597f6f, 9f560c90b7ba6f02233094ed03d9272e
  • [URL] context – http://mpevalr.ria[.]monster/SmtInfo/demo.txt, http://mpevalr.ria[.]monster/SmtInfo/show.php
  • [Filename] context – InterviewQuestionnaire(***).chm, Document.vbs, demo.txt

Read more: https://asec.ahnlab.com/en/49295/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint