Thursday, March 28, 2024

OlympicDestroyer – A Highly Sophisticated Cyber Attack by Lazarus Hacking Group

A Sophisticated cyber attack has been reported already that targeted against the   Pyeongchang Winter Olympics infrastructure using OlympicDestroyer Malware by Lazarus Hacking Group.

This clever cyber attack leads to taking down the IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.

The previous analysis concluded by Cisco Talos team published that, it has similarities between the attack, Petya (Expetr/NotPetya) and BadRabbit.

But new investigation revealed a lot more false flags that various advanced techniques used to destroy the targeting systems and server.

In this case, OlympicDestroyer contains multiple advanced components and act as a network worm, it using legitimate tools such as PsExec tool, credential stealer module.

This Modules Main purpose is to destroy files on the remote network shares in the victim’s network over 60 minutes after the infection.

OlympicDestroyer main module collects user passwords from the browser and Windows storage and crafts a new generation of the worm that compromise the local network computers and using the PsExec tool.

OlympicDestroyer
OlympicDestroyer component relations

Most advanced Infect Vector

Traditional malware attacks through MS Office documents with an embedded macro that asks users to enable the content and document starts a cmd.exe with a command line to execute a PowerShell script and eventually infected victims computer will be compromised.

In this case, Kaspersky analysts got an administrative access to one of the affected servers located in a hotel based in Pyeongchang county, South Korea.

Further investigation revealed that malicious traffic from infected systems resolved its command and control server which is located in Argentina.

Once the host infected in an attempt to connect the multiple connections to this server on ports such as 443, 4443, 8080,8081,8443,8880.

The sever has been purchased from Bulgaria based reseller and the server placed in Argentina and the server information is shielded the registration data, except the DNS servers, which indicate it was purchased via MonoVM, a VPS for a bitcoin.

A malicious document that spreading via spear-phishing email used by attackers that responsible for launching the OlympicDestroyer worm. In addition, this document includes a PowerShell command that closely resembles the PowerShell backdoor found in the network of the OlympicDestroyer victim.

“The PowerShell scripts listed below were used in the weaponized documents and as a standalone backdoor. As standalone fileless backdoor, they were built and obfuscated using the same tool. “

OlympicDestroyer Propagation

Lazarus Hacking Group’s OlympicDestroyer is a network worm that steals the victim’s credentials using various malicious attempt in network.

OlympicDestroyer

“The diagram above was built based on extracted lists of credentials with hostnames and some alleged roles of the servers based on respective names. We can see there were at least three independent launch pads for the worm: Atos.net company, ski resort hotels, and the Pyeongchang2018.com server.”

Considering all of the above it it now looks like a very sophisticated false flag which was placed inside the malware intentionally in order to give threat hunter impression that they found a smoking gun evidence, knocking them off the trail to the accurate attribution. Kaspersky said.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles