Tracking the CHM Malware Using EDR


CHM is a Help screen that is in an HTML format. Threat actors are able to input malicious scrip codes in HTMLs with the inclusion of CHM. The inserted script is executed through hh.exe which is a default OS application. MITRE ATT&CK refers to this technique where a threat actor uses a signed program or a program installed by default on an OS to execute malware as T1218 (System Binary Proxy Execution). MITRE explains that if threat actors use the T1218 technique to execute their malware, they can easily avoid process and signature-based detection due to being executed through a signed binary or a default MS program.

Read more…