Hackers target Winter Olympics with new custom-built fileless malware

Researchers have uncovered a campaign targeting organisations involved with next month's Games in South Korea, with the aim of controlling infected machines.
Written by Danny Palmer, Senior Writer

Hackers are targeting the upcoming Winter Olympics with a phishing and malware campaign directed at the organisations that provide infrastructure and other support for the Games.

The campaign targets a number of organisations involved with the Olympic and Paralympic Winter Games, set to take place in Pyeongchang, South Korea next month. It uses a previously unseen form of malware designed to hand control of the victim's machine over to the attackers.

Download now: Intrusion detection policy

Among those sent the messages are individuals associated with the ice hockey tournament at the Games. The attack has been dubbed 'Operation PowerShell Olympics' by the researchers at McAfee Labs, who uncovered it taking place in late December.

"This particular malware has not been seen before and it is something custom that was created by the attacker," Ryan Sherstobitoff, senior analyst at McAfee Advanced Threat Research, told ZDNet.


Email addresses associated with ice hockey at the South Korea Winter Olympics were among those targeted by attackers.

Image: Getty

The attacks begin with emails designed to look as if they come from the South Korean National Counter-Terrorism Center, complete with a spoofed, authentic looking email address. By spoofing the email address in this way, the messages look like they're official NCTC communications, when in fact researchers believe they're being sent from an IP address in Singapore.

These phishing emails, sent in Korean, contain a brief message talking about a report from a South Korean government agency and the Pyeongchang Olympics. The emails point the potential victim towards an attached Word document, which has a file name which translates as 'Organised by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics'.

If opened, the document tells the user they must click to enable content, which if they do, allows the macros for installing the malware to run via a hidden PowerShell script.


The lure document used in the cyber-attacks targeting the South Korea Winter Olympics.

Image: McAfee Labs

Researchers note that the attacks use an open source stenography tool, released on December 20, to embed the PowerShell script into the image file, allowing the attackers to implant the image from a remote server in a fileless malware attack.

Analysis of the implant suggests its purpose is to establish an encrypted channel to the attacker's server -- with the PowerShell implant set to automatically start daily at 2am in order to carry out scheduled tasks, providing the hackers with the ability to execute commands and install additional malware.

"This implant is what establishes a hidden encrypted channel to the attackers' server from memory, thus making it fileless. This does not rule out the possibility of installing additional malware through this channel to gather specific information of interest," said Sherstobitoff.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

During the course of the investigation, researchers discovered a cached Apache server log which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants, indicating that the intended targets were likely to have been infected.

Further investigation revealed the IP address from the PowerShell implant was connected to an anonymous domain provider based in Costa Rica, with the attacker using this domain to link up to the South Korean Ministry of Agriculture and Forestry, which the attacker has somehow managed to use parts of to carry out the attack.

Researchers are uncertain how many have been infected by the attack, but the campaign is thought to have targeted a wide range of South Korean organisations in the run up to the Winter Olympics. In similar campaigns in the past, victims were targeted for their passwords and financial information.

The phishing document was created on December 22, but rather than containing macros, it uses OLE (Objective Linking and Embedding) streams to carry out the attack. The document has been created by the same author, 'John', who created the malicious PowerShell script.

However, despite some evidence about how the attacks took place, researchers haven't been able to identify the perpetrator -- but they do note that whoever is behind the campaign must be fluent in the Korean language and the motive is to gather intelligence about organisations involved in the South Korea-hosted Winter Olympics.

"Technical details alone are often not enough to determine attribution. We are able to ascertain that the attackers have been trained in Korean language to ensure that the targets open the attachment, and the objective seems to be to gather information on the planning, direction and infrastructure related to the Olympics," said Sherstobitoff.

Researchers warn that in the run up to the Winter Olympics, attackers will continue to use the event as a lure to carry out cyber-attacks.

To avoid falling victim to such attacks -- including fileless malware distributed as part of Operation Powershell Olympics -- organisations should educate their employees to be mindful of suspicious emails and unexpected attachments.

Related coverage

Intel 5G platform to power 2018 Winter Olympics network

Intel's 5G mobile trial platform, processors, and technologies will be used for Korea Telecom's 5G network for the Pyeongchang Olympic Winter Games next year.

AOC loses court battle over Telstra Olympics ads

The Full Federal Court has handed down its decision in favour of Telstra, ending a case that began prior to the 2016 Rio Olympic Games.

Intel to work with IOC to bring VR, drones and more to the Olympics

By signing on as an Olympic Partner through 2024, Intel has a global platform to showcase the technology its new Sports Group has to offer.


Editorial standards