Keypoints
- Threat actor Kimsuky is delivering malicious CHM files inside ISO/VHD/ZIP/RAR containers to bypass initial defenses and entice execution.
- CHM files contain HTML/ActiveX that writes a Base64 blob to a .dat file, decodes it with certutil into a .vbs script, and executes it.
- Persistence is achieved by adding a Run key under HKCU pointing to the decoded VBS and by creating scheduled tasks or services from dropped scripts.
- Decoded VBS collects system details (WMI), running processes, recent documents, and folder listings (e.g., Downloads), encodes results to Base64, and exfiltrates to C2 endpoints.
- Variants drop multiple .bat and VBS files into C:UsersPublicLibraries, use PowerShell to Base64-encode and upload zipped data, then remove local copies.
- Rapid7 telemetry links these behaviors to Kimsuky with moderate confidence and provides detections for CHM-driven certutil usage, Run-key additions, and suspicious HH.exe activity.
MITRE Techniques
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell β Used to echo a Base64 string into a .dat file and run certutil to decode it (βecho T24gRXJyb3IgUmVzdW1lIE5leHQβ¦β and βstart /MIN certutil -decode β%USERPROFILE%LinksMXFhejJ3c3gzZWRjA.datβ β%USERPROFILE%LinksMXFhejJ3c3gzZWRjA.vbsββ)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys β Achieves persistence by adding the decoded VBS to the current userβs Run registry key (βREG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /v Document /t REG_SZ /d β%USERPROFILE%LinksMXFhejJ3c3gzZWRjA.vbsβ /fβ)
Indicators of Compromise
- [File Hashes] CHM/VBS samples β MD5 364d4fdf430477222fe854b3cd5b6d40, SHA256 c62677543eeb50e0def44fc75009a7748cdbedd0a3ccf62f50d7f219f6a5aa05 (and 4 more hashes)
- [Domains/C2] Exfiltration and C2 endpoints β 00701111.000webhostapp.com/wp-extra, hxxp://gosiweb.gosiclass[.]com/m/gnu/convert/html/com/list.php?query=6 (and niscarea[.]com/in.php)
- [File Names] Dropped/created script files β MXFhejJ3c3gzZWRjA.dat, MXFhejJ3c3gzZWRjA.vbs, info.txt
- [File Types/Artifacts] Malicious lure and payload containers β .chm file (Compiled HTML Help), .bat and .vbs files dropped to C:UsersPublicLibraries
Rapid7 analysts found Kimsuky delivering CHM files inside archive containers (ISO/VHD/ZIP/RAR). Each CHM includes HTML/ActiveX content that writes a Base64-encoded payload into a .dat file under the user profile, then invokes certutil to decode it into a .vbs script. The initial execution uses obfuscated command lines embedded in the CHM (e.g., an ActiveX Button parameter) to run commands minimized, avoiding user visibility.
The decoded VBS collects host telemetry via WMI (computer name, OS/version/build, memory, CPU details), enumerates running processes and recent documents, and scans target folders like Downloads. Collected data are Base64-encoded into files such as info.txt and posted to remote C2 URLs (examples observed: 00701111.000webhostapp.com/wp-extra, gosiweb.gosiclass[.]com, niscarea[.]com). Persistence is enforced by adding a Run key under HKCU pointing to the VBS and, in alternate variants, by installing services or creating scheduled tasks from dropped .bat files.
Other variants drop multiple .bat and VBS files into C:UsersPublicLibraries, create scheduled tasks (e.g., 2034923.bat), and run PowerShell to Base64-encode and zip collected files before transmitting them to endpoints such as hxxps://niscarea[.]com/in.php?cn=[base64]&fn=[DateTime]; after exfiltration the scripts delete local artifacts. Defenders should monitor CHM executions spawning cmd/certutil, creation of Run-key entries for VBS, hh.exe spawning child processes, and network traffic to the listed C2 domains.