Kimsuky APT

AhnLab Security Emergency Response Center (ASEC) researchers discovered the Kimsuky APT group’s recent strikes, in which attackers have been using CHM files to distribute malware to the targeted machines, downloading additional scripts or malware to harvest user information.

Kimsuky is a North Korean state-backed hacker group that targets South Korean think tanks, industry, nuclear power operators, and the South Korean Ministry of Unification for espionage purposes. The Kimsuky APT group has most likely been operating since 2012. 

Cyber Security News reported the previous Kimsuky threat actors’ activities in 2020 when few findings arose and developed the threat group’s spyware skills and abilities.

As per the analysis of multiple attacks executed in May, ASEC found that they have used different subjects such as cryptocurrency, tax accounting, and contracts in distributed files instead of North Korean-related topics

Kimsuky APT File Distribution Vector

“CHM malware in distribution generates a standard help window upon execution and performs malicious behaviours through the malicious script inside.”

A CHM file is a compressed HTML file that provides help material. It can contain text, photos, and hyperlinks.

“It is not easy for users to notice the malicious behaviours, having been deceived with the help window disguised as a regular file.”

The help window the user generates takes advantage of current events or topics according to which the target field works to make it more reliable. 

For Example, the help window generated on the user’s machine may link to a disguised tax investigation return form page or relate to specific users’ financial transaction pages.

The stolen personal data of someone was used to make it more legit. In other cases, attackers have been using stolen reservation ticket details, cryptocurrency transactions of specific individuals, and household registration of certain persons, ASEC researchers said.

Disguised as documents such as contracts

In such scenarios, users may become the victim and click the document to execute the malware. 

CHM Malware Behaviour

Once the user clicks the CHM file, additional scripts are downloaded to exfiltrate user information and malware.

BAT and VBS files were initially dropped once CHM executed, which further downloaded CAB File.

The CAB file contains scripts to exfiltrate user information and download additional malicious files. 

Overall operation process

User information is collected through loyestemp03.bat, and uwpp.vbs sends the collected information and the PC name to  “hxxp://vndjgheruewy1[.]com/uun06/uwpp.php The threat actor checks the stolen user information, and only when the system is a target of attack uploads additional malicious files to the Command and control.

If the system is a target, the threat actor uploads files with the name of the infected PC.

Infected PCs repeatedly attempt to download via the script registered to RunKey, and when other files are uploaded, the files are downloaded.

It then decompresses the downloaded files through the expand command before executing them. 

“Cases of using CHM files in APT attacks are also commonly found. Users must carefully check the senders of emails and refrain from opening files from unknown sources.

They should also perform routine PC checks and update their security products to the latest version.” Researchers warned.

Manage and secure Your Endpoints EfficientlyFree Download

Indicators of Compromise


BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.