CHM (Infostealer) – Malware

Overview

CHM malware is malicious software that leverages the Compiled HTML Help (CHM) file format, used by Microsoft Windows for online help documentation. These CHM files, which are compiled HTML files, can include embedded scripts, links, images, and other content, allowing them to execute code. This capability makes them a vehicle for delivering malware, as attackers can exploit vulnerabilities in the software used to open CHM files.

Over the years, CHM malware has been employed in numerous cyber campaigns. Attackers prefer CHM files because they can bypass certain security mechanisms and many users are unaware of the risks these files pose.

Targets

The versatility and potential stealth of CHM malware make it a useful tool for attackers targeting a variety of sectors like Corporate NetworksCorporate Networks, Government Agencies, Financial Institutions, Healthcare Organizations, Educational Institutions and Individual Users.

How they operate

AhnLab detected a Korean CHM malware that is currently stealing user data and targeting Korean users. This aligns with the trend of malware being delivered in various formats like LNK, DOC, and OneNote by the same actor.

Although the execution flow relies on multiple scripts for stealing user information and keylogger data as before, recent samples show minor variations in their operation. In earlier activities of this group, malicious objects appeared as HWP documents or even looked like compensation forms, North Korea-related questionnaires, or press releases on different themes.

Upon executing the CHM file, a help file displays while simultaneously running a malicious script that creates and launches Link.ini in “%USERPROFILE%\Links”. The Link.ini connects to a URL (changed from “list.php?query=1” to “bootservice.php?query=1”) containing a Base64 encoded script. This decoded script, previously analyzed, exfiltrates user data, creates a malicious script file, and gets registered as a service under “%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\OfficeUpdater_[time].ini”. It’s scheduled to run every 60 minutes automatically.

Here are the types of information exfiltrated:

• System Information
• List of Files in the Folder
• Information on Currently Running Processes
• Anti-malware Information (Code Only, Not Executed)

A URL that the periodically running service connects to runs a Base64 encoded malicious script, changing from “list.php?query=6” to “bootservice.php?query=6”. This reveals an encoded script that uses PowerShell to connect to another URL with “InfoKey” and encoded data as parameters. A PowerShell script hosted on the URL decodes and then executes an obfuscated secure string payload.

The attacker has started using complex obfuscation methods that are more advanced than most known simpler deobfuscation techniques such as decompression or base64, making it possible for attackers to evade detection. The final decoded payload performs keylogging, saving captured keystrokes and clipboard data in ‘%APPDATA%\Microsoft\Windows\Templates\Office_Config.xml’ before sending it to the attacker’s server and erasing the file.

Although the general execution of this attack is not new, recent samples have shown more complex obfuscation methods, indicating an improved form of evasion by the same group responsible for previous campaigns.

Significant Malware Campaigns

• AhnLab Security Emergency response Center (ASEC) has recently confirmed malware, which was previously distributed in CHM and OneNote file formats, being distributed as an executable. (June 2023)
• Kimsuky group often used document files for malware distribution, there have been many recent cases where CHM files were used in distribution. (June 2023)
• Due to recent confirmed cases of the Kimsuky group distributing malware in various forms such as CHM, LNK, and OneNote, which were previously distributed as Word files, users are strongly advised to exercise extra caution. (March 2023)
• AhnLab Security Emergency response Center (ASEC) has recently discovered a CHM malware which is assumed to have been created by the Kimsuky group. (March 2023)

References:

• Malware Disguised as HWP Document File (Kimsuky)
• Kimsuky Distributing CHM Malware Under Various Subjects
• OneNote Malware Disguised as Compensation Form (Kimsuky)
• CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
• Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
• CHM Malware Stealing User Information Being Distributed in Korea