Saturday, July 20, 2024

OlympicDestroyer – A Highly Sophisticated Cyber Attack by Lazarus Hacking Group

A Sophisticated cyber attack has been reported already that targeted against the   Pyeongchang Winter Olympics infrastructure using OlympicDestroyer Malware by Lazarus Hacking Group.

This clever cyber attack leads to taking down the IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The previous analysis concluded by Cisco Talos team published that, it has similarities between the attack, Petya (Expetr/NotPetya) and BadRabbit.

But new investigation revealed a lot more false flags that various advanced techniques used to destroy the targeting systems and server.

In this case, OlympicDestroyer contains multiple advanced components and act as a network worm, it using legitimate tools such as PsExec tool, credential stealer module.

This Modules Main purpose is to destroy files on the remote network shares in the victim’s network over 60 minutes after the infection.

OlympicDestroyer main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that compromise the local network computers and using the PsExec tool.

OlympicDestroyer component relations

Most advanced Infect Vector

Traditional malware attacks through MS Office documents with an embedded macro that asks users to enable the content and document starts a cmd.exe with a command line to execute a PowerShell script and eventually infected victims computer will be compromised.

In this case, Kaspersky analysts got an administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea.

Further investigation revealed that malicious traffic from infected systems resolved its command and control server which is located in Argentina.

Once the host infected in an attempt to connect the multiple connections to this server on ports such as 443, 4443, 8080,8081,8443,8880.

The sever has been purchased from Bulgaria based reseller and the server placed in Argentina and the server information is shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin.

A malicious document that spreading via spear-phishing email used by attackers that responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim.

“The PowerShell scripts listed below were used in the weaponized documents and as a standalone backdoor. As standalone fileless backdoor, they were built and obfuscated using the same tool. “

OlympicDestroyer Propagation

Lazarus Hacking Group’s OlympicDestroyer is a network worm that steals the victim’s credentials using various malicious attempt in network.


“The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: company, ski resort hotels, and the server.”

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them off the trail to the accurate attribution. Kaspersky said.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles