CHM Malware Stealing User Information Being Distributed in Korea
Contents
AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users. The distributed CHM is a type that has been constantly distributed in various formats such as LNK, DOC, and OneNote from the past. A slight change to the operation process was observed in the recent samples.
- Related Posts
(June 23rd, 2023) Malware Disguised as HWP Document File (Kimsuky)
(March 24th, 2023) OneNote Malware Disguised as Compensation Form (Kimsuky)
(March 13th, 2023) CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
(May 25th, 2022) Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
The overall execution flow is shown in Figure 1. The malware is a type that uses multiple scripts to ultimately send user information and keylog data to the threat actor. Each execution step is explained below.
1. CHM
A help file is displayed when the CHM file is executed (see Figure 2). …
- Related Posts
(June 23rd, 2023) Malware Disguised as HWP Document File (Kimsuky)
(March 24th, 2023) OneNote Malware Disguised as Compensation Form (Kimsuky)
(March 13th, 2023) CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
(May 25th, 2022) Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
The overall execution flow is shown in Figure 1. The malware is a type that uses multiple scripts to ultimately send user information and keylog data to the threat actor. Each execution step is explained below.
1. CHM
A help file is displayed when the CHM file is executed (see Figure 2). …
IoC
b2c74dbf20824477c3e139b48833041b