Malicious Word Document Being Distributed in Disguise of a News Survey – ASEC BLOG

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The Word document is distributed as an email attachment with the password. ‘The file is password-protected and is deemed to be distributed as an attachment in emails alongside the password.’
• [T1059.005] Command and Scripting Interpreter: Visual Basic – Malicious VBA macro is embedded and used to execute payloads; ‘The VBA macro includes the Document_Open function, enabling the malicious macro to be executed automatically.’
• [T1027] Obfuscated/Compressed Files and Information – The macro code is obfuscated to hinder analysis; ‘The executed macro code is obfuscated with a similar method as the previous versions.’
• [T1059.001] PowerShell – Ahnlab.lnk executes Defender.log with PowerShell to run additional scripts; ‘Executes Defender.log with PowerShell.’
• [T1023] Shortcut Modification – The malware creates and uses Ahnlab.lnk to trigger further actions; ‘Ahnlab.lnk (has a Ahnlab.lnk path within the file)’.
• [T1041] Exfiltration Over C2 Channel – Collected data is uploaded to attacker-controlled servers; ‘Collected information is saved as %APPDATA%Ahnlab.hwp before being transmitted to hxxp://okihs.mypressonline[.]com/bb/post.php’ and via FTP to jojoa.mypressonline[.]com/kmas.txt
• [T1555.003] Credentials from Web Browsers – Browser data (Login Data, Cookies) is collected from Chrome/Edge profiles and saved to the local appdata before exfiltration; ‘Files containing ‘Login Data’ within %LOCALAPPDATA%GoogleChromeUser Data’ and similar entries for Edge.
• [T1070.004] Indicator Removal on Host: Clear Command History – The attacker deletes the PowerShell history file to avoid detection; ‘code to delete %APPDATA%MicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt’.
• [T1059.001] PowerShell (repeated context) – The delivered scripts eventually rely on PowerShell-based execution paths; ‘Executes Defender.log with PowerShell’.