RedEyes (ScarCruft)'s CHM Malware Using the Topic of Fukushima Wastewater Release
Contents
The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2RAT malware’.
The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in Figure 1.
Figure 2 shows the malicious script that operates during this process. …
The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in Figure 1.
Figure 2 shows the malicious script that operates during this process. …
IoC
52f71fadf0ea5ffacd753e83a3d0af1a
http://navercorp.ru/dashboard/image/202302/4.html
http://navercorp.ru/dashboard/image/202302/com.php
http://navercorp.ru/dashboard/image/202302/4.html
http://navercorp.ru/dashboard/image/202302/com.php