국내 금융 기업 보안 메일을 사칭한 CHM 악성코드 : RedEyes(ScarCruft)
2023-03-03 • Ahnlab • CHM malware impersonating security mail from domestic financial companies: RedEyes (ScarCruft) •
AhnLab reported CHM malware attributed to RedEyes, also known as APT37 or ScarCruft, distributed to South Korean users through lures impersonating a domestic financial company's secure email. When opened, the CHM file displayed a fake help window while an embedded malicious script ran in the background. The script used a shortcut object to launch mshta, fetched a JavaScript file from attacker infrastructure, and executed encoded PowerShell commands, reusing a persistence command pattern previously observed in RedEyes M2RAT activity.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | http://shacc.kr/skin/product/1.… | 2023-03-03 | 2023-03-21 |
| DOMAIN | shacc.kr | 2023-03-03 | 2023-03-21 |
| HASH | 8d2eebd10d90953cfada64575328ae24 | 2023-03-03 | 2023-03-03 |
| HASH | 806fad8aac92164f971c04bb4877c00f | 2023-03-03 | 2023-03-03 |
Related Actors
Related Reports
Shares tags: RedEyes, CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a week
Shares tags: RedEyes, CHM • Same author: Ahnlab
Shares tags: RedEyes, CHM • Same author: Ahnlab
Shares tags: RedEyes, CHM • Same author: Ahnlab
Shares tags: RedEyes, CHM • Same author: Ahnlab
Shares tags: RedEyes, CHM • Same author: Ahnlab