In this day and age, no large public event is off limits from some form of attack or compromise. The Olympic games are certainly no exception here. From well-crafted phishing lures (which start well before the actual games) to outright malicious and destructive attacks, we have seen the whole range during past Olympic games.
The same holds true for the current Olympic games in Pyeonchang. News of a cyber ‘event’ quickly spread early this week in the form of an outage which affected availability of the official Pyeongchang 2018 website, media services in the main Olympic press center, and wireless services in the Pyeonchang Olympic stadium.
With news and data quickly circulating, the event was ultimately connected to a destructive malware campaign dubbed “Olympic Destroyer.” Little is known or disclosed regarding the initial infection vector.
Primary characteristics of the malware components include:
• Lateral movement via WMI and PsExec
• Destroys local logs and VSS data
• Contains hardcoded credentials (specific to the target environment)
• Credential stealing mechanism is supplemented by stolen credentials acquired via browser-based credential stealer and a Mimikatz-like stealer (LSASS based)
NOTE: Some firms were initially reporting the use of the ETERNALROMANCE SMB exploit within Olympic Destroyer. Those reports (including tweets from Microsoft) have since been withdrawn as further analysis shows no use of the flaw in currently circulating samples.
Based on current analysis, the primary goal is destruction and disruption. Our team is continuing to monitor and analyze this situation.
There are some important points to stress here. Attribution and true intent are often complex and unfold over time. Jumping to conclusions around ‘who’ is behind this attack and ‘why’ (this early in the timeline) does little to further the discourse. If history is any guide, this event is not solitary but rather a small piece of a larger campaign that will unfold over time. It is equally possible that this highly visible event was a distraction to divert attention from other more severe events.
Bottom line… we all need to be patient, avoid foredrawn conclusions, and allow official investigations to proceed.
IOCs (SHA256)
19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
28858CC6E05225F7D156D1C6A21ED11188777FA0A752CB7B56038D79A88627CC
28858cc6e05225f7d156d1c6a21ed11188777fa0a752cb7b56038d79a88627cc
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef - PsEXEC
3E27B6B287F0B9F7E85BFE18901D961110AE969D58B44AF15B1D75BE749022C2
3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2
ab5bf79274b6583a00be203256a4eacfa30a37bc889b5493da9456e2d5885c7f
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
D934CB8D0EADB93F8A57A9B8853C5DB218D5DB78C16A35F374E413884D915016
d934cb8d0eadb93f8a57a9b8853c5db218d5db78c16a35f374e413884d915016
edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
EDB1FF2521FB4BF748111F92786D260D40407A2E8463DCD24BB09F908EE13EB9
f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
Delivering Malware via Telegram
The popular encrypted Messaging application, Telegram, recently released an update to address a flaw, which allowed the remote distribution of malware via the improper handling of specific Unicode characters. This flaw allowed attackers to trick victims into opening what appears to be a “safe” file but is actually malicious JavaScript.
It is believed that this flaw was actively exploited between March and October 2017 (when the flaw was discovered and reported to Telegram). Attacks leveraging this flaw have successfully implanted multiple types of malware on target hosts, the most common of which are RATs, cryptocurrency miners, and generic multifunction trojans.
While some have disputed the validity of the flaw, Telegram has already issued a fix.
The flaw relied heavily on social engineering and user interaction. Even with the malicious file types being disguised, the target user still had to click on it AND agree to allow it to execute (which should be a tip-off that it is executable code and not a benign image). While that may be true, it is also true that the attack was being successfully exploited and the attacks did work, leading to infected and compromised users.
So, in that light, cheers to Telegram for issuing a fix and keeping users that much more safe.
New Bytes from the HIDDEN COBRA
On February 13, the US-CERT, through multiple public channels, issued updates on specific malicious activity attributed to the North Korean Government. Two Malware Analysis Reports (MAR) were released covering specific details around HIDDEN COBRA/ HARDRAIN/ BADCALL activity.
The full MAR reports (MAR-10135536-G and MAR-10135536-F) have been posted on the US-CERT site, including STIX documents.
MAR-10135536-B (HARDRAIN) contains details covering two Windows-based executables (proxy servers) along with an Android-based (ELF) Remote Administration Tool, or RAT. MAR-10135536-G (BADCALL) describes two Windows-based proxy executables and another type of Android RAT (APK).
IOCs
BADCALL (MD5s)
c01dc42f65acaf1c917c0cc29ba63adc
d93b6a5c04d392fc8ed30375be17beb4
c6f78ad187c365d117cacbee140f6230
HARDRAIN (MD5s)
3dae0dc356c2b217a452b477c4b1db06
746cfecfd348b0751ce36c8f504d2c76
9ce9a0b3876aacbf0e8023c97fd0a21d
Additional IOCs and YARA rules are available in the full MARs on the US-CERT site.
CylancePROTECT® prevents execution of threats associated with the Olympic Destroyer and HIDDEN COBRA as described in this post. Believe the math!