SAFE Olympic Malware

Pyeongchang Olympic Games Targeted Cyber-attack

A new cyber-attack has been recently discovered targeting the Pyeongchang 2018 Olympic Games. The Guardian posted an article about technical issues before the opening ceremony:

“Reporters at the Pyeongchang Olympic Stadium noticed that the internet wifi stopped working shortly before the ceremony while the televisions and wifi at the main press centre also stopped. Pyeongchang 2018 was also forced to shut its website, with users unable to print their tickets for events.”

This attack is obviously a targeted attack against the Olympic Games of Pyeongchang. In fact some information about the computer organization are hardcoded in the binary analyzed in this article.

Like Wannacry and NotPetya, this malware is able to spread itself all over the network using the same tricks and that’s probably the main infection vector used to start this cyber-attack.

 

Olympics Destroyer Execution Flow

Below the execution flow of the malware provided by the investigation view of SAFE Endpoint Security:

SAFE Olympic Malware Investigation

The execution of the malware may have done more things on the real environment targeted by this cyber-attack.

 

File architecture

The binary has multiple files in its ressources which are all encrypted using AES-CBC mode 32-byte with md5sum(‘123’)*2 as key and with 16 null bytes as IV. All resources are dumped in the temp folder of the user profile using a random name ending with .exe in order to be started by the malware later.
Here is a sample code to decrypt the ressources manually (https://pastebin.com/vkhRnp54):

import sys
import binascii

from Crypto.Cipher import AES

filename = sys.argv[1]
with open(filename, 'rb') as f:
encrypted = f.read()

#md5sum('123') == 202cb962ac59075b964b07152d234b70
key = binascii.unhexlify('202cb962ac59075b964b07152d234b70'*2)
iv = '\x00'*16
cipher = AES.new(key,AES.MODE_CBC, iv)
decrypted = cipher.decrypt(encrypted)

decrypted_filename = '%s.decoded' % filename
with open(decrypted_filename, 'wb') as f:
f.write(decrypted)

Filenamewinlogon.exe
FiletypeExecutable
Size (Bytes)1861632
HashMD5: cfdd16225e67471f5ef54cab9b3a5558
SHA1: 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
SHA256: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
Virus totalwinlogon.exe
Information about the Olympic Destroyer main executable

 

Lateral movement

Like Wannacry And NotPetya, this malware is able to spread itself on other computers of the local network. In fact the malware uses WMI command to spread and one of the extracted resources is a PsExec program that is used to perform remote execution. The following script is executed on the remote computer in order to spread the malware:

SAFE Olympic Malware VBScript

In order to get computer credentials of the computer, a mimikatz implementation is included in the malware. This part is hidden in a binary resource named BMP which is encrypted with the same method as seen previously:

SAFE Olympic Malware BMP mimiktaz

The developer of mimikatz also confirmed the use of his tool in this cyber-attack:

https://twitter.com/gentilkiwi/status/963188802901676032

In addition to the usage of mimikatz, the binary has 44 hardcoded credentials. Here is an extract with blurred password:

SAFE Olympic Malware Hardcoded credentials

This hardcoded sensitive information about the IT infrastructure proves that this malware is targetting the Pyeongchang Olympic Games.
This information may have been stolen during another attack, this malware could be a second part of a cyber-attack.
This malware was clearly developed to act against this event.

 

Break recovery system

Once the malware has done the password stealing and the lateral movement, its goal is to delete its tracks and disable any backup or recovery feature provided by the Operating System.

To perform this the malware starts multiple command lines (extract from SAFE Endpoint Security analysis engine):

SAFE Olympic Malware commands

The following command line will delete shadow copy in order to prevent file restore:
vssadmin.exe delete shadows /all /quiet

The following command line will delete backup catalog to break the file restore table:
wbadmin.exe delete catalog -quiet

Next, the malware will use bcdedit command line in order to change the boot configuration of the system. In this case, the recovery system of the OS is disabled:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

Finally, the malware deletes all system and security logs in order to prevent forensics investigation on the victim computer:
wevtutil.exe cl System
wevtutil.exe cl Security

 

Destroyer

The goal of the malware is then to break the system in order to make the computer unusable. The malware will open and change every service configuration and set it to the status 4:

SAFE Olympic Malware Disable Services

The status 4 means that the service is disabled and will not be started the on next boot.

SAFE Olympic Malware disable services events

Once all services are set to disabled, the malware shutdown the system. The goal of this targeted cyber-attack was clearly to perform a DOS (Denial Of Service) of the Pyeongchang Olympic Games organization’s computers.

This is what the administors saw when they restarted back their computers after the attack. The computers display this BSOD in a non-stop loop on Windows loading:

SAFE Olympic malware BSOD

 

Conclusion

As we saw, before this cyber-attack was targeted against the Pyeongchang Olymics since the main malware has some hardcoded confidentials of the event. Like WannaCry and NotPetya, this malware is able to spread on local computers using the same tricks.
The malware then breaks the system and makes the victim computer unusable. This is what happened during the opening ceremony of the Pyeongchang Olympic Games. The cyber-attack has been officialy confirmed but the root cause is not yet revealed to the public but a report will be shared soon by the organization The Guardian says.
This cyber-attack finally caused a blackout of 12 hours of the official event website, and users where not able to print their tickets. The Wifi connection was also down.

 

How SAFE Endpoint Security blocks this type of cyber-attack

SAFE Endpoint Security is a multi-layer security product which will block this type of attacks or malicious files using multiple methods and at each step of the attack:

  • The analysis engine provided by SAFE Endpoint Security detects malicious files and blocks them before they are executed
  • SAFE Endpoint Security limits the access to some administrative tools (cmd.exe, vssadmin.exe, …)
  • Thanks to the security policies, programs have a limited access to the network that prevent any lateral movement to be done