AhnLab Security Emergency Response Center (ASEC) researchers discovered the Kimsuky APT group’s recent strikes, in which attackers have been using CHM files to distribute malware to the targeted machines, downloading additional scripts or malware to harvest user information.
Kimsuky is a North Korean state-backed hacker group that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. The Kimsuky APT group has most likely been operating since 2012.
.png
)
Cyber Security News reported the previous Kimsuky threat actors’ activities in 2020 when few findings arose and developed the threat group’s spyware skills and abilities.
As per the analysis of multiple attacks executed in May, ASEC found that they have used different subjects such as cryptocurrency, tax accounting, and contracts in distributed files instead of North Korean-related topics.
Kimsuky APT File Distribution Vector
“CHM malware in distribution generates a standard help window upon execution and performs malicious behaviours through the malicious script inside.”
A CHM file is a compressed HTML file that provides help material. It can contain text, photos, and hyperlinks.
“It is not easy for users to notice the malicious behaviours, having been deceived with the help window disguised as a regular file.”
The help window the user generates takes advantage of current events or topics according to which the target field works to make it more reliable.
For Example, the help window generated on the user’s machine may link to a disguised tax investigation return form page or relate to specific users’ financial transaction pages.
The stolen personal data of someone was used to make it more legit. In other cases, attackers have been using stolen reservation ticket details, cryptocurrency transactions of specific individuals, and household registration of certain persons, ASEC researchers said.
In such scenarios, users may become the victim and click the document to execute the malware.
CHM Malware Behaviour
Once the user clicks the CHM file, additional scripts are downloaded to exfiltrate user information and malware.
BAT and VBS files were initially dropped once CHM executed, which further downloaded CAB File.
The CAB file contains scripts to exfiltrate user information and download additional malicious files.
User information is collected through loyestemp03.bat, and uwpp.vbs sends the collected information and the PC name to “hxxp://vndjgheruewy1[.]com/uun06/uwpp.php” The threat actor checks the stolen user information, and only when the system is a target of attack uploads additional malicious files to the Command and control.
If the system is a target, the threat actor uploads files with the name of the infected PC.
Infected PCs repeatedly attempt to download via the script registered to RunKey, and when other files are uploaded, the files are downloaded.
It then decompresses the downloaded files through the expand command before executing them.
“Cases of using CHM files in APT attacks are also commonly found. Users must carefully check the senders of emails and refrain from opening files from unknown sources.
They should also perform routine PC checks and update their security products to the latest version.” Researchers warned.
Manage and secure Your Endpoints Efficiently – Free Download
Indicators of Compromise
b5a873ee6b839cbd03789115fc3ae944
9861999409cdbc1f7c4c1079d348697c
7c7b8dd6dd4ba7b443e84287671f0e79
98764ae00cee9f2cc87530601c159387
d62dcb76fa0fb4b725ea9c8643874ae7
e9e56ee78e019e09d5dbe0bb373adf09
ef58a1326b98feccc90c4d37a8ce2fe2
ae6fdb8945991b587ab790c2121345ce
075160d6c8d82b96d1ae7893761695a6
e5b0430290dc71193b7ea2fc829a9910