A Sophisticated cyber attack has been reported already that targeted against the   Pyeongchang Winter Olympics infrastructure using OlympicDestroyer Malware by Lazarus Hacking Group.

This clever cyber attack leads to taking down the IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The previous analysis concluded by Cisco Talos team published that, it has similarities between the attack, Petya (Expetr/NotPetya) and BadRabbit.

But new investigation revealed a lot more false flags that various advanced techniques used to destroy the targeting systems and server.

In this case, OlympicDestroyer contains multiple advanced components and act as a network worm, it using legitimate tools such as PsExec tool, credential stealer module.

This Modules Main purpose is to destroy files on the remote network shares in the victim’s network over 60 minutes after the infection.

OlympicDestroyer main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that compromise the local network computers and using the PsExec tool.

OlympicDestroyer
OlympicDestroyer component relations

Most advanced Infect Vector

Traditional malware attacks through MS Office documents with an embedded macro that asks users to enable the content and document starts a cmd.exe with a command line to execute a PowerShell script and eventually infected victims computer will be compromised.

In this case, Kaspersky analysts got an administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea.

Further investigation revealed that malicious traffic from infected systems resolved its command and control server which is located in Argentina.

Once the host infected in an attempt to connect the multiple connections to this server on ports such as 443, 4443, 8080,8081,8443,8880.

The sever has been purchased from Bulgaria based reseller and the server placed in Argentina and the server information is shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin.

A malicious document that spreading via spear-phishing email used by attackers that responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim.

“The PowerShell scripts listed below were used in the weaponized documents and as a standalone backdoor. As standalone fileless backdoor, they were built and obfuscated using the same tool. ”

OlympicDestroyer Propagation

Lazarus Hacking Group’s OlympicDestroyer is a network worm that steals the victim’s credentials using various malicious attempt in network.

OlympicDestroyer

“The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: Atos.net company, ski resort hotels, and the Pyeongchang2018.com server.”

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them off the trail to the accurate attribution. Kaspersky said.