malware under the magnifying glass
malware under the magnifying glass
Sophisticated implants such as Gold Dragon, Brave Prince, Ghost419, and RunningRat allow hackers to steal sensitive data from systems owned by organisations involved with the Winter Olympics in South Korea. 

Back in January, a McAfee Advanced Threat Research report revealed how hackers were launching phishing attacks on organisations involved with the upcoming Winter Olympics in South Korea. 

Emails sent by hackers were made to appear as if they were sent by the South Korean National Counter-Terrorism Center and attachments in these emails contained malicious code that gave hackers the ability to execute commands and to download additional malware into affected systems.

"The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant," said a McAfee spokesman.

Following their initial findings, McAfee's Advanced Threat Research team conducted further analysis and discovered new implants which, according to them, allowed attackers to 'gain persistence for continued data exfiltration and for targeted access'.

One of the implants, dubbed Gold Dragon, is a second-stage payload and unlike the PowerShell implant discovered earlier, has a much more robust persistence mechanism, thereby allowing attackers to do much more to the target system. It is basically a data-gathering implant that generates a key to encrypt data that the implant obtains from the system and sends the data over to a remote server owned by attackers.

The researchers added that first variants of Gold Dragon were observed in July last year and that as many as five variants of the implant were used heavily by hackers during the targeting of the Olympics organisations. They also observed other implants which they named Brave Prince, Ghost419, and RunningRat.

While Brave Prince helps attackers gather detailed logs about the victim's configuration, contents of the hard drive, registry, scheduled tasks, running processes, and more, Ghost419 contains shared elements and code from both Gold Dragon and Brave Prince. RunningRat is, unlike the other implants, a Remote Access Trojan which first kills a Korean security program named daumcleaner.exe and then captures user keystrokes to send them over to a control server.

'The implants covered in this research establish a permanent presence on the victim's system once the PowerShell implant is executed. The implants are delivered as a second stage once the attacker gains an initial foothold using fileless malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running,' the researchers said.

While the new implants are hard to remove once they infiltrate a system, they also allow hackers to gain access to sensitive data stored by organisations involved with the Winter Olympics. However, none of these implants would matter if such organisations ensure that their employees spot phishing emails and ignore or report the ones that look suspicious.

'The Winter Olympics was always going to be a prime target, as events such as these offer a range of easily accessible targets – many of whom are very susceptible to a well-timed phishing email. In this case, busy users on high alert have been duped into opening emails posing as a terror threat from South Korea's National Counter-Terrorism Center,' says Fraser Kyne, EMEA CTO at Bromium.

He adds that instead of blaming the user, organisations should avoid investing in failed detect-to-protect cyber-security solutions that cannot do much against phishing tactics. Instead, they must look into new security measures that take the onus off the user.

'Virtualisation can provide this. By isolating each application – whether that's a web browser or an email attachment – within its own virtual machine, and providing a protect-first approach, you can set your users free whilst ensuring the complete safety of the rest of your system,' Kyne adds.