Alleged Cyber Espionage by Russian and North Korean State Sponsors on 2018 Olympics

Your Feed is from https://www.safeharboroncyber.com/Blog/
Alleged Cyber Espionage activities by Russian and North Korean Hackers on 2018 Olympics
The 2018 Olympics have long been a microcosm of geopolitics, which, in addition to athletics, have provided means for diplomacy and propaganda, sometimes even pronouns of war. Well, in 2018, they also become hacker trick links. The Olympic Games next week in Pyeongchang may have been the most thorough hacking in game history, with more surprises coming.
More than any previous Olympic Games, Pyeongchang has been plagued by apparently state-sponsored hackers: a sport with ties to Russia has stolen embarrassing documents that leaked Olympic organizers, and security researchers have followed another move, Probably North Korea, appears to be monitoring the Olympic organization in South Korea.
Security researchers track both operations, saying that the full scope of both operations is still far from clear, and leaving them can still raise the question of upcoming problems with themselves starting a new interruption in the game. More generally, signals of intrusion indicate that geopolitical tensions for the Olympics have long been extended to the digital arena.
Gain Foothold at 2018 Olympics with Email Phishing
E-mails were disguised as coming from the National Counter-Terrorism Center of Korea (NCTC). At that time, NCTC was conducting a sports anti-terrorism exercise to prepare for the Olympics, indicating that e-mail is legitimate and increasing the chances of people opening e-mails.
Malicious documents that contain obfuscated Visual Basic macros prompt the recipient to open it in their Microsoft Word version and start the PowerShell script when they click Enable Content. Attackers use Invoke-PSImage, an open-source steganography tool released on December 20, to hide malicious PowerShell code on remote servers.
The process eventually provides an implant that creates an encrypted channel for the attacker’s server so they can execute commands on the victim’s machine. The researchers explained that the goal is to evade detection techniques that rely on pattern matching.
Researchers at the company say they have linked these samples of malware to a phishing campaign that lures victims with Korean e-mail, pointing to South Korea’s goal. McAfee said the messages cheated a piece of information from the Korean national counter-terrorism center, which, according to McAfee, said the messages were made during the actual conduct of the terrorist demonstration in Pyeongchang – targeting the more than 300 Olympic Games-related targets of BOCOG . Only the address “icehockey@pyeongchang2018.com” is visible in its “to” line. However, by analyzing the email’s metadata, McAfee identifies victims of other intentions, including the Pyeongchang local tourist organization, ski resorts, transportation and key sectors of the PyeongChang Olympics.
Hackers attach Korean Word documents to e-mail for running malicious scripts on the target machine. If a victim clicks “Enable Content” after opening a contaminated attachment, an attacker can remotely access the computer. An attacker could use the initial temporary foothold to install spyware in order to have a deeper look at hacked computers. McAfee pointed out that the script hidden in an innocent image file, with clever steganography and other obfuscation strategies.
McAfee traces its fishing program to remote servers in the Czech Republic and registers forged certificates with South Korean authorities. And they found a publicly accessible log on this remote server showing that the victim’s machine was actually connected to it from South Korea, which is a sign of the actual infection. Raj Samani, chief scientist at McAfee, said: “Is this a successful campaign? The answer is yes.” We know it’s the victim. ”
Despite all these discoveries, the origin and ultimate goal of this relatively complex malware movement remain unclear. However, based on North Korean language and goals, Samani hinted that his work theory points to North Korean espionage efforts and closely follows his southern neighbors.
This spy appears to run counter to South Korea’s recent disintegration of diplomatic relations and has even led to a combination of national women’s hockey teams from both countries. But North Korea may not give up its attack on a temporary olive branch. Samani said: “I guess this is a” let your friends close, your enemies closer “approach.
First evidence emerged last month that sighting Fancy Bear, Russian hackers move to new political targets has launched a cyber campaign targeting Olympic organizations following Russia’s ouster from the 2018 Winter Olympics for state-sponsored doping. A hacker persona linked to the group released purported emails and documents from the International Olympic Committee earlier this month.
Malware Laced Word Doc for 2018 Olympics attendees
McAfee has discovered an implant that they believe was being used as a second-state payload in a recent document-less attack on the upcoming organization of the PyeongChang Korea Olympics.
In early January, McAfee security researchers warned that hackers have begun e-mails infected with malware for the PyeongChang Games. It is reported that the first such attack took place on December 22, and the sender’s address was faked, it seems from the South Korean national anti-terrorism center.
Hackers are using PowerShell’s plug-in tools to create a channel for the attacker’s servers and collect basic system-level data, but McAfee cannot immediately determine what an attacker did after first visiting the victim’s system.
McAfee later released a report detailing other implants used in the attack that were used to obtain sustained target systems and sustained data breaches, including the Golden Dragon, the Brave Prince, Ghost419 and RunningRat.
Involved Espionage Groups with 2018 Olympics
December 24, 2017 Observed Korean Planting a Golden Dragon is considered to be the second phase of the Olympic payload, with a more robust persistence mechanism than the original PowerShell implant.
As a data collection implant design, Golden Dragon has a golddragon.com hard-coded domain name that acts as a scout tool and downloader for subsequent payloads. It also generates a key to encrypt the data collected from the system and then sends it to the server ink.inkboom.co.kr.
Golden Dragon is not a complete spyware, because it only has limited reconnaissance and data collection capabilities. The malware released the first variant in Korea in July 2017 with features that include similar elements, codes and behaviors as McAfee’s tracked Ghost419 and Brave Prince since May 2017.
Malware lists the user’s Desktop folder, the files the user has recently accessed, and the directories in the system’s% programfiles% folder and associates this information with the system details, the ixe000.bin file in the current user’s UserProfiles, and the registry Item, and the value of the current user’s run key, encrypts the data, and sends it to the remote server.
Malicious software can check the system for processes related to anti-virus products and cleaning applications, and then terminate the process to evade detection. In addition, it supports the download and execution of other components retrieved from a command and control (C & C) server.
There is also a Korean planting system similar to Gold Dragon, Brave Prince dedicated to systems analysis that collects information about directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware first appeared on December 13, 2017. It also terminates processes related to tools that block malicious code.
For the first time in the field on December 18, 2017, the Ghost419 is a Korean implant dating back to July 29, 2017, with samples representing only 46% of the December sample. This malware, based on the Golden Dragon and the Brave Prince, shares elements and code, especially with system reconnaissance.
Security researchers said attackers also used the Remote Access Trojan (RAT) during the PyeongChang Olympics. Known as RunningRat, this tool has two DLLs, the first to kill any anti-malware solution on the system, and in addition to being persistent, unpack and execute the primary RAT DLL.
The second DLL that uses anti-debugging technology is decompressed in memory, resulting in a fileless attack because it never touches the user’s file system. The malware gathers information about the operating system as well as driver and processor information and begins to capture user keystrokes and send them to the C & C server.
“From our analysis, the theft button is the main function of RunningRat; however, the code for the DLL has a wider range of functions. The code includes copying the clipboard, deleting the file, compressing the file, clearing the event log, shutting down the machine, etc. However , Our current analysis shows that such a code can not be executed, “McAfee revealed.
All of these implants can be established perpetually on the victims’ systems, but they require the first phase of malware that provides an initial foothold for the victim’s system. If you run Hangul Word (a Korean-specific replacement for Microsoft Office) on your system, some implants can only achieve persistence.
“With the discovery of these implants, we now have a better understanding of the scope of this operation.” Golden Dragon, brave prince, Ghost419 and RunningRat show a wider range of motion than ever before. Lasting data breaches can potentially create some potential for attackers during the Olympics, “McAffee concludes
Additional Group in 2018 Olympics, Anti-Doping Bears
A far louder and more explicit hacker threat has come from a notorious outfit linked with the Kremlin’s GRU military intelligence agency, known as Fancy Bear, or APT28—according to many security researchers, almost certainly the same Fancy Bear that hacked the Democratic National Committee and Clinton campaign in the midst of the 2016 election.
Fancy bear may have more leaks in store. Security companies Trend Micro and ThreatConnect have linked the organization’s campaign to a list of deceptive domain names they discovered that could be exploited by the organization for serious phishing attacks. Many of these fake realms have not caused any leaks yet, but may lead to compromise by the Organizing Committee. They have found that the purpose of the domain name registration fraud is to mimic the United States anti-doping agency, the British rival Britain’s anti-doping, OCA, the European ice hockey federation, the International Ski Federation, the International Winter Biathlon, International Sled And skeleton alliance.
More Malware
In early January a reported anatomy of the targeted email campaign with Kill Chain and fileless malware attacks footprints from Olympics in Pyeongchang, South Korea. Already more than 300 organizations associated with the 2018 Olympic Games have been hit by these campaigns, even before the game starts next month. Analysts at McAfee Advanced Threat Research have reported a fileless malware activity for the 2018 Winter Olympics in Pyeongchang, South Korea. An attacker in an unknown nation-state may be responsible as researcher shows front end kill chain and typical nation-state behavior from phishing campaigns.
In addition, malware can check whether the system has processes related to anti-virus products and cleaning applications, and then terminate the process to evade detection. In addition, it supports the download and execution of other components retrieved from a command and control (C & C) server.
There is also a Korean planting system similar to Gold Dragon, Brave Prince dedicated to systems analysis that collects information about directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware first appeared on December 13, 2017. It also terminates processes related to tools that block malicious code.
For the first time in the field on December 18, 2017, the Ghost419 is a Korean implant dating back to July 29, 2017, with samples representing only 46% of the December sample. This malware, based on the Golden Dragon and the Brave Prince, shares elements and code, especially with system reconnaissance.
Security researchers said attackers also used the Remote Access Trojan (RAT) during the PyeongChang Olympics. Known as RunningRat, this tool has two DLLs, the first to kill any anti-malware solution on the system, and in addition to being persistent, unpack and execute the primary RAT DLL.
The second DLL that uses anti-debugging technology is decompressed in memory, resulting in a fileless attack because it never touches the user’s file system. The malware gathers information about the operating system as well as driver and processor information and begins to capture user keystrokes and send them to the C & C server.
“From our analysis, the theft button is the main function of RunningRat; however, the code for the DLL has a wider range of functions. The code includes copying the clipboard, deleting the file, compressing the file, clearing the event log, shutting down the machine, etc. However , Our current analysis shows that such a code can not be executed, “McAfee revealed.
All of these implants can be established perpetually on the victims’ systems, but they require a first phase of malware that provides an initial foothold for the victim’s system. If you run Hangul Word (a Korean-specific replacement for Microsoft Office) on your system, some implants can only achieve persistence.
“With the discovery of these implants, we now have a better understanding of the scope of this operation.” Golden Dragon, brave prince, Ghost419 and RunningRat show a wider range of motion than ever before. The arrival of persistent data infiltration can potentially give attackers an advantage over the Olympics, “concluded McAffee.

(adsbygoogle = window.adsbygoogle || []).push({});

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor News Post. Home » Curated SafeHarboronCyber’s CyberWisdom Post
The post Alleged Cyber Espionage by Russian and North Korean State Sponsors on 2018 Olympics appeared first on Safe Harbor on Cyber.