Hackers are targeting the upcoming Winter Olympics with a phishing and malware campaign directed at the organisations that provide infrastructure and other support for the Games.
The campaign targets a number of organisations involved with the Olympic and Paralympic Winter Games, set to take place in Pyeongchang, South Korea next month. It uses a previously unseen form of malware designed to hand control of the victim's machine over to the attackers.
Among those sent the messages are individuals associated with the ice hockey tournament at the Games. The attack has been dubbed 'Operation PowerShell Olympics' by the researchers at McAfee Labs, who uncovered it taking place in late December.
"This particular malware has not been seen before and it is something custom that was created by the attacker," Ryan Sherstobitoff, senior analyst at McAfee Advanced Threat Research, told ZDNet.
The attacks begin with emails designed to look as if they come from the South Korean National Counter-Terrorism Center, complete with a spoofed, authentic looking email address. By spoofing the email address in this way, the messages look like they're official NCTC communications, when in fact researchers believe they're being sent from an IP address in Singapore.
These phishing emails, sent in Korean, contain a brief message talking about a report from a South Korean government agency and the Pyeongchang Olympics. The emails point the potential victim towards an attached Word document, which has a file name which translates as 'Organised by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics'.
If opened, the document tells the user they must click to enable content, which if they do, allows the macros for installing the malware to run via a hidden PowerShell script.
Researchers note that the attacks use an open source stenography tool, released on December 20, to embed the PowerShell script into the image file, allowing the attackers to implant the image from a remote server in a fileless malware attack.
Analysis of the implant suggests its purpose is to establish an encrypted channel to the attacker's server -- with the PowerShell implant set to automatically start daily at 2am in order to carry out scheduled tasks, providing the hackers with the ability to execute commands and install additional malware.
"This implant is what establishes a hidden encrypted channel to the attackers' server from memory, thus making it fileless. This does not rule out the possibility of installing additional malware through this channel to gather specific information of interest," said Sherstobitoff.
During the course of the investigation, researchers discovered a cached Apache server log which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants, indicating that the intended targets were likely to have been infected.
Further investigation revealed the IP address from the PowerShell implant was connected to an anonymous domain provider based in Costa Rica, with the attacker using this domain to link up to the South Korean Ministry of Agriculture and Forestry, which the attacker has somehow managed to use parts of to carry out the attack.
Researchers are uncertain how many have been infected by the attack, but the campaign is thought to have targeted a wide range of South Korean organisations in the run up to the Winter Olympics. In similar campaigns in the past, victims were targeted for their passwords and financial information.
The phishing document was created on December 22, but rather than containing macros, it uses OLE (Objective Linking and Embedding) streams to carry out the attack. The document has been created by the same author, 'John', who created the malicious PowerShell script.
However, despite some evidence about how the attacks took place, researchers haven't been able to identify the perpetrator -- but they do note that whoever is behind the campaign must be fluent in the Korean language and the motive is to gather intelligence about organisations involved in the South Korea-hosted Winter Olympics.
"Technical details alone are often not enough to determine attribution. We are able to ascertain that the attackers have been trained in Korean language to ensure that the targets open the attachment, and the objective seems to be to gather information on the planning, direction and infrastructure related to the Olympics," said Sherstobitoff.
To avoid falling victim to such attacks -- including fileless malware distributed as part of Operation Powershell Olympics -- organisations should educate their employees to be mindful of suspicious emails and unexpected attachments.