Phishing Campaign Targeting Companies Associated with Pyeongchang Olympics

Security researchers from McAfee spotted a Phishing campaign targeting companies associated with Pyeongchang Olympic 2018.The multi-sport event is to take place in South Korea.

Hackers primarily targetted icehockey@pyeongchang2018.com and several other Korean companies in BCC.And most of them associated in some way to Pyeongchang Olympic.

McAfee Researchers spotted the campaign started on December 22, 2017, and the activity appeared up to December 28, 2017.All the Email sent from IP address 43.249.39.152 in Singapore and the attackers spoofed the Email address to have appeared as info@nctc.go.kr.

Attached is an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).

Attackers embedded malicious documents as a hypertext application (HTA) file and then hide it as an image in the remote server with visual basic macros to launch the decoder script.Researchers said they also wrote custom PowerShell code to decode the hidden image and reveal the implant.

Also Read Real-Time Intelligence Feed to Catch Malicious Phishing Domains SSL Certificate

When the victim opens the document it asks to “enable content” to load the file properly in word, if victim clicks on “enable content” then the malicious document executes PowerShell script which downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.

The script is heavily disguised with string-based obfuscation to make the analysis job difficult researchers deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL.

hxxps://www[dot]thlsystems[dot]forfirst[dot]cz:443/components/com_tags/views/login/process[dot]php

Researchers said, based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.

“With the upcoming Olympics, we expect to see an increase in cyber attacks using Olympics-related themes,” the McAfee report concluded.

IoC of attacks – Pyeongchang Olympic

SHA-1

c388b693d10e2b84af52ab2c29eb9328e47c3c16
8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c

IPs

200.122.181.63

Domains

thlsystems.forfirst.cz
mafra.go.kr.jeojang.ga