Monday, March 4, 2024

OlympicDestroyer – A Highly Sophisticated Cyber Attack by Lazarus Hacking Group

A Sophisticated cyber attack has been reported already that targeted against the   Pyeongchang Winter Olympics infrastructure using OlympicDestroyer Malware by Lazarus Hacking Group.

This clever cyber attack leads to taking down the IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The previous analysis concluded by Cisco Talos team published that, it has similarities between the attack, Petya (Expetr/NotPetya) and BadRabbit.

But new investigation revealed a lot more false flags that various advanced techniques used to destroy the targeting systems and server.

In this case, OlympicDestroyer contains multiple advanced components and act as a network worm, it using legitimate tools such as PsExec tool, credential stealer module.

This Modules Main purpose is to destroy files on the remote network shares in the victim’s network over 60 minutes after the infection.

OlympicDestroyer main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that compromise the local network computers and using the PsExec tool.

OlympicDestroyer component relations

Most advanced Infect Vector

Traditional malware attacks through MS Office documents with an embedded macro that asks users to enable the content and document starts a cmd.exe with a command line to execute a PowerShell script and eventually infected victims computer will be compromised.

In this case, Kaspersky analysts got an administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea.

Further investigation revealed that malicious traffic from infected systems resolved its command and control server which is located in Argentina.

Once the host infected in an attempt to connect the multiple connections to this server on ports such as 443, 4443, 8080,8081,8443,8880.

The sever has been purchased from Bulgaria based reseller and the server placed in Argentina and the server information is shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin.

A malicious document that spreading via spear-phishing email used by attackers that responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim.

“The PowerShell scripts listed below were used in the weaponized documents and as a standalone backdoor. As standalone fileless backdoor, they were built and obfuscated using the same tool. “

OlympicDestroyer Propagation

Lazarus Hacking Group’s OlympicDestroyer is a network worm that steals the victim’s credentials using various malicious attempt in network.


“The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: company, ski resort hotels, and the server.”

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them off the trail to the accurate attribution. Kaspersky said.


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles