CHM Impersonates Korean Financial Institutes and Insurance Companies
Contents
In March, AhnLab Security Emergency response Center (ASEC) covered a CHM-type malware impersonating security emails from financial institutes. This post will cover the recently identified distribution of CHM-type malware using a similar method of impersonating Korean financial institutes and insurance companies.
The CHM file is in a compressed file (RAR) format. Upon execution, it displays the following help screens. These are all guides disguised as being sent from Korean financial institutes and insurance companies and include content such as “credit card limit,” “results of insurance fee withdrawal,” and “banking contract.”
The malicious script executed at this point is shown below. There are some changes from the script in previously identified CHM files. The Object tag and command are not executed immediately, but rather executed after a string is put together and inserted into a certain id area by the innerHTML property. The use of shortcut objects (ShortCut) and click method are the …
The CHM file is in a compressed file (RAR) format. Upon execution, it displays the following help screens. These are all guides disguised as being sent from Korean financial institutes and insurance companies and include content such as “credit card limit,” “results of insurance fee withdrawal,” and “banking contract.”
The malicious script executed at this point is shown below. There are some changes from the script in previously identified CHM files. The Object tag and command are not executed immediately, but rather executed after a string is put together and inserted into a certain id area by the innerHTML property. The use of shortcut objects (ShortCut) and click method are the …
IoC
0f27c6e760c2a530ee59d955c566f6da
59a924bb5cb286420edebf8d30ee424b
aaeb059d62c448cbea4cf96f1bbf9efa
bfe2a0504f7fb1326128763644c88d37
https://atusay.lat/kxydo
https://crilts.cfd/cdeeb
https://labimy.ink/rskme
https://ppangz.mom/mjifi
59a924bb5cb286420edebf8d30ee424b
aaeb059d62c448cbea4cf96f1bbf9efa
bfe2a0504f7fb1326128763644c88d37
https://atusay.lat/kxydo
https://crilts.cfd/cdeeb
https://labimy.ink/rskme
https://ppangz.mom/mjifi