Changes Detected in CHM Malware Distribution
Contents
AhnLab Security Emergency response Center (ASEC) has previously covered a CHM malware type impersonating Korean financial institutes and insurance companies. Recently, the execution method of this malware type has been changing every week. This post will cover how the changed execution processes of the CHM malware are recorded in AhnLab’s EDR products.
Figure 1 shows the detection diagram in EDR products on the execution method of the CHM malware impersonating financial institutes and insurance companies. The diagram for the initial distribution is the very top portion of Figure 1 and is included in previously uploaded posts. When the CHM file (Windows help file) is executed, it is run through the hh process. It is then decompiled through a script in the internal HTML file to generate a file. The generated .jse file in turn runs wscript.
This method is the same as the first variant shown in the middle diagram in Figure …
Figure 1 shows the detection diagram in EDR products on the execution method of the CHM malware impersonating financial institutes and insurance companies. The diagram for the initial distribution is the very top portion of Figure 1 and is included in previously uploaded posts. When the CHM file (Windows help file) is executed, it is run through the hh process. It is then decompiled through a script in the internal HTML file to generate a file. The generated .jse file in turn runs wscript.
This method is the same as the first variant shown in the middle diagram in Figure …
IoC
056932151e3cc526ebf4ef5cf86ae0b4
258472c79fc3b9360ad560e26350b756
790c5f50942a502252a00b9878db9496
7c949f375c56e7de7a3c4f0a9a19c4e5
8d39335e67e797ad66c3953c3d6203ce
https://atusay.lat/kxydo
https://zienk.sbs/kjntf
258472c79fc3b9360ad560e26350b756
790c5f50942a502252a00b9878db9496
7c949f375c56e7de7a3c4f0a9a19c4e5
8d39335e67e797ad66c3953c3d6203ce
https://atusay.lat/kxydo
https://zienk.sbs/kjntf