The malicious script is executed under the path “%USERPROFILE%AppDataLocalMicrosoftWindowsTemporary Internet FilesOfficeUpdater_[minute][hour][day and month].ini”, registered as a service and scheduled to automatically run at 60-minute intervals. AhnLab SEcurity intelligence Center (ASEC) has recently discovered circumstances of a CHM malware strain that steals user information being distributed to Korean users.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://asec.ahnlab.com/en/65245/
Sample Indicators of Compromise:
b2c74dbf20824477c3e139b48833041b
