The hacking team behind a cyberattack which impacted the Winter Olympic Games is back with an updated cache of droppers and hacking tools.
This week, researchers from Check Point said that Hades, the advanced persistence threat (APT) group believed to be behind an attack this year levied against systems used in the Winter Olympic Games, has begun a potential evolutionary shift.
The attack in question occurred just before the sporting event opening ceremony in South Korea, taking the Winter Olympic Games website offline.
In addition, television sets and Internet-related systems at the games were also disrupted for roughly 12 hours.
The cyberattack was dubbed Olympic Destroyer and researchers later uncovered a wiper malware which was responsible. Kaspersky Labs said spear phishing emails were likely the initial attack vector and this later led to a connection with Hades, an APT known for using "publicly available tools for reconnaissance and post-exploitation," according to Check Point.
"Over the last few weeks, we have noticed new activity from Hades," the researchers say. "This new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group."
A selection of new samples gathered by Check Point have revealed the refinement of macros, often embedded in malicious documents spread via phishing campaigns, which have been made more complex over time.
In the original campaign, the macros only used subtraction encoding, but now they have been improved with Hex2Text encoding and dummy functions, as well as functionality boosts in PowerShell script builders and launch processes.
TechRepublic: The top 5 myths about cloud-based security
Hades droppers detected in the past used to exhibit similar functions; executing a PowerShell script via cmd.exe and downloading a set of scripts for the execution of other payloads. However, a new dropper variant has deviated from this path.
First uncovered in Ukraine, the dropper does lean on the same coding styles linked to previous droppers, but also introduces antivirus-circumventing obfuscation techniques such as delayed execution protocols.
The dropped has also been modified to avoid analysis by security teams and will hide network activity and processes in sandbox environments. The malware will, for example, check to see if at least 40 processes are running on a system before executing as sandbox environments will often only use a handful of processes.
Check Point says these methods are effective, as "popular online sandboxes failed to see any launched processes or network activity, and with some, the dropper appeared to be totally benign."
See also: Guilty of your roots: Why Kaspersky believes tech nationalism is on our doorstep
The new Hades variant will also drop files to disk, setup morning scheduled tasks to maintain persistence, use obfuscation to hide PowerShell script execution, and makes use of lesser-known triggers related to Word ActiveX objects rather than standard triggers to avoid detection.
CNET: Text message database reportedly leaked password resets
"Hades shows no signs of slowing down their operation, as their capabilities are growing alongside their victims list," Check Point says. "Every time Hades introduced a new dropper iteration, only a small amount of AV vendors could successfully detect them as malicious. This fact makes it more than likely that most of Hades' operations remain under the radar."
Considering we have the 2020 Summer Olympics taking place in Tokyo, let's hope that if this threat group decided to try and target the event again, Japan's cybersecurity minister has read up on the potential threat Hades poses. After all, the cybersecurity chief has recently said that he never uses a PC.
The worst cyberattacks undertaken by nation-state hackers
Previous and related coverage