Saturday, May 24, 2025
HomeHacksOlympicDestroyer - A Highly Sophisticated Cyber Attack by Lazarus Hacking Group

OlympicDestroyer – A Highly Sophisticated Cyber Attack by Lazarus Hacking Group

Published on

SIEM as a Service

Follow Us on Google News

A Sophisticated cyber attack has been reported already that targeted against the   Pyeongchang Winter Olympics infrastructure using OlympicDestroyer Malware by Lazarus Hacking Group.

This clever cyber attack leads to taking down the IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The previous analysis concluded by Cisco Talos team published that, it has similarities between the attack, Petya (Expetr/NotPetya) and BadRabbit.

- Advertisement - Google News

But new investigation revealed a lot more false flags that various advanced techniques used to destroy the targeting systems and server.

In this case, OlympicDestroyer contains multiple advanced components and act as a network worm, it using legitimate tools such as PsExec tool, credential stealer module.

This Modules Main purpose is to destroy files on the remote network shares in the victim’s network over 60 minutes after the infection.

OlympicDestroyer main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that compromise the local network computers and using the PsExec tool.

OlympicDestroyer
OlympicDestroyer component relations

Most advanced Infect Vector

Traditional malware attacks through MS Office documents with an embedded macro that asks users to enable the content and document starts a cmd.exe with a command line to execute a PowerShell script and eventually infected victims computer will be compromised.

In this case, Kaspersky analysts got an administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea.

Further investigation revealed that malicious traffic from infected systems resolved its command and control server which is located in Argentina.

Once the host infected in an attempt to connect the multiple connections to this server on ports such as 443, 4443, 8080,8081,8443,8880.

The sever has been purchased from Bulgaria based reseller and the server placed in Argentina and the server information is shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin.

A malicious document that spreading via spear-phishing email used by attackers that responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim.

“The PowerShell scripts listed below were used in the weaponized documents and as a standalone backdoor. As standalone fileless backdoor, they were built and obfuscated using the same tool. “

OlympicDestroyer Propagation

Lazarus Hacking Group’s OlympicDestroyer is a network worm that steals the victim’s credentials using various malicious attempt in network.

OlympicDestroyer

“The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: Atos.net company, ski resort hotels, and the Pyeongchang2018.com server.”

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them off the trail to the accurate attribution. Kaspersky said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Volkswagen Car Hack Exposes Owner’s Personal Data and Service Records

Tech-savvy Volkswagen owner has uncovered critical security flaws in the My Volkswagen app that...

Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs...

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later...