Saturday, June 15, 2024

Hackers Launch Olympic Destroyer Malware to Attack Financial Organizations using Obfuscated Scripts to Evade Detection

Olympic Destroyer Malware raised again through weaponized documents and currently targeting various Financial Organization with upgraded capabilities and evade the detection of flying under the radar.

Olympic Destroyer is a self-replicating and self-modifying destructive network worm that spreads to reconnaissance and infiltration into target networks.

Few months before Lazarus Hacking Group actively spreading Olympic Destroyer malware which was targetted Olympics website and took down the IT systems.

Its current attack is focusing on Financial organizations in Russia and biological and chemical threat prevention laboratories in Europe and Ukraine.

Researchers believe that Lazarus APT that behind the Olympic Destroyer malware to be associated with North Korea.

It also spreading with sophisticated technique and they continue to use a non-binary executable infection vector and obfuscated scripts to evade detection.

Based on several target profiles and limited victim reports, researchers believe that the recent operation by Olympic Destroyer targets Russia, Ukraine, and several other European countries.

Olympic Destroyer Malware Infection Process

Olympic Destroyer using different technologies and very complex infection process with various scripts such as mixing VBA code, MS HTA, and more Powershell inside of the JScript.

Initially distributed through office document and it is heavily obfusticated, that contain embedded VBA macro which helps to execute the Powershell command.

Later it started the new obfuscated Powershell scriptlet via the command line which is used to rearranging the original code and protect all commands and strings such as the command and control (C2) server address.

                   Obfuscated command line Powershell scriptlet

Also, Attacker using some script that helps to disable Powershell script logging to avoid leaving traces. and second stages of the Payload also execute the another PowerShell script.

After the deobfuscation, it downloads the next stage payload from the same server address and the final payload is the Powershell Empire agent.

According to Kaspersky. Powershell Empire is free to post exploitation tool and its open-source framework written in Python and Powershell that allows fileless control of the compromised hosts, has a modular architecture and relies on encrypted communication.

This framework is widely used by penetration-testing companies in legitimate security tests for lateral movement and information gathering.

Also, Olympic Destroyer malware handled by an attacker using compromised web server to hosting and controlling malware.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles