Let’s continue to dissect unusual malicious email attachments used by modern APT. This time I’m going to focus on malicious CHM files used by Silence APT. If you haven’t heard about it for some reason, I would recommend to read this detailed report by Group-IB, as this APT attacks not only Russian banks, but also banks in more than 25 countries.
In this post I’ll focus on two recent campaigns – in both of them the attackers used weaponized CHM files:
Maket dizayna debitovoy korp karty.CHM (Debit corporate card design template)
Приглашение на конференцию 13012019.chm (Conference invitation 13012019)
Let’s start from what CHM files are. These are Microsoft Compiled HTML Help files. CHM files consist of a collection of HTML pages, an index and other navigation tools. As they are compressed, we can use, for example, 7-Zip to browse their contents, let’s start from the first file, “Maket dizayna debitovoy korp karty.CHM”:
The most interesting file is start.htm, it can be examined with a text or hex editor of your choice, here I use 010 Editor, let’s look at the most interesting part of the file:
As you can see, we already got quite a lot of info that can help us to create IoC (Indicators of Compromise) list, but it looks a bit obfuscated. The thing is – the attackers used an environment variable string substitution, obfuscation technique FIN7 started to use in June 2017. We can easily deobfuscate it using echo command:
So, once the victim opens the file, the script inside uses schtasks.exe to create a task with the name “4”, which downloads and runs “mnms” from 146.0.77[.]104, then the task is deleted. What’s “mnms”? It’s a VB script, which will download the next stage.
Let’s look inside another CHM file:
We see the same environment variable string substitution trick here, we can use echo command again to deobfuscate it:
This time there is no tasks, but still something interesting. Once opened by the victim, the script inside the CHM file will copy cmd.exe to %APPDATA% as dmw.exe, then it uses it to download and run “rogr.php” from 185.70.186[.]146. Again, “rogr.php” is a VB script, which will download the next stage.
If we compare both “start.htm” files, we can see that they have a lot in common. Of course, a good start is environment variable string substitution used for obfuscation in both files, it’s not very common technique. Also, some parts of the files are almost the same, but at the same time they are quite unique, it seems the attackers used the same template or software to create them. For example, let’s look at the beginnings of both files:
As you can see, they are almost the same. Let’s continue with a bit of forensic analysis. Usually it takes some time for the attackers to finish the attack. Sometimes it’s a week or two, sometimes it’s three months. It means that there may be no artifacts of file opening, like MRU or LNK. Of course, CHM files are not very common, so you have good chances of finding quite a lot of artifacts of opening these files by the users. Anyway, I would like to focus on most unique artifacts left from execution of files under analysis.
Let’s go back to our first file, “Maket dizayna debitovoy korp karty.CHM”. It creates a task and then deletes it. It means we can hardly find task file under C:\Windows\System32\Tasks, same can be said about VSCs, as it’s created, ran and deleted immediatelly. But it can be a good idea to check Microsoft-Windows-TaskScheduler%4Operational.evtx, as it records everything regarding scheduled tasks, here is a good example:
As for the second file, “Приглашение на конференцию 13012019.chm”, as you remember, it creates a file called “dmw.exe”, that is a copy of “cmd.exe”. As it doesn’t delete it, this can be used as an IoC:
Even if this file was deleted, you still have quite a lot of evedence sources of its execution, like Prefetch, Shimcache, etc.