Hackers exploit the weaponized shortcut files due to their ability to execute malicious code without knowing the user being targeted.
Shortcut files are generally well-known and widely used, and due to this, they provide a good platform for deploying malware.
The use of these harmless shortcuts is one of the best ways for hackers to bypass security checks and force victims to make their systems vulnerable.
Cybersecurity researchers at ASEC recently discovered that hackers have been actively abusing the the weaponized shortcut files to deploy CHM malware.
Technical Analysis
AhnLab detected a Korean CHM malware that is currently stealing user data and is being distributed to Korean targets. This follows the trend of malware being delivered in different formats like LNK, DOC, and OneNote by the same actor.
Free Webinar : Live API Attack Simulation
94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise:
Key Takeaways:
- An exploit of OWASP API Top 10 vulnerability
- A brute force ATO (Account Takeover) attack on API
- A DDoS attack on an API
- Positive security model automation to prevent API attacks
Start protecting your APIs from hackers
Although the entire execution flow relies on multiple scripts for stealing user information and keylogger data as before, some recent samples showcase minor variations in how they operate.
In earlier activities of this group, there were instances when such malicious objects took the shape of HWP documents or even looked like compensation forms, North Korea-related questionnaires, or press releases on different themes.
.webp)
Upon executing the CHM file, a help file displays while simultaneously running a malicious script that creates and launches Link.ini in “%USERPROFILE%Links”.
.webp)
The Link.ini connects to a URL (changed from “list.php?query=1” to “bootservice.php?query=1”) containing a Base64 encoded script.
This decoded script, previously analyzed, exfiltrates user data, creates a malicious script file, and gets registered as a service under “%USERPROFILE%AppDataLocalMicrosoftWindowsTemporary Internet FilesOfficeUpdater_[time].ini”. It’s scheduled to run every 60 minutes automatically.
Here below we have mentioned all the types of information exfiltrated:-
- System Information
- List of Files in the Folder
- Information on Currently Running Processes
- Anti-malware Information (Code Only, Not Executed)
A URL that the periodically running service connects to runs a Base64 encoded malicious script, the “list.php?query=6” changed to “bootservice.php?query=6”.
This reveals an encoded script that uses PowerShell to connect to another URL with “InfoKey” and encoded data as parameters.
A PowerShell script hosted on the URL decodes and then executes an obfuscated secure string payload.
The attacker has begun using complex obfuscation methods that are more advanced than most known cases of simpler deobfuscation techniques such as decompression or base64 since it is now possible for attackers to hide beneath easily available detectors.
The final decoded payload carries out keylogging, where it saves the captured keystrokes and clipboard data in ‘%APPDATA%MicrosoftWindowsTemplatesOffice_Config.xml’ before sending it to the attacker’s server and erasing the file.
Although the general execution of this attack is not new, recent samples have produced far more complex obfuscation methods, which probably signify an improved form of evasion by a single group responsible for previous campaigns.
Since this malware affects only Korean users, they should be extra careful not to open files from untrusted or suspicious sources.
IOC
- b2c74dbf20824477c3e139b48833041b
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide