McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.
Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”).
The primary target of the email was icehockey@pyeongchang2018.com, with several organizations in South Korea on the BCC line. The majority of these organizations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign.
The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.
Analysis
The malicious document was submitted from South Korea to Virus Total on December 29 at 09:04, a day after the original email was sent to the target list. The email was sent from the IP address 43.249.39.152, in Singapore, on December 28 at 23:34. The attacker spoofed the message to appear to be from info@nctc.go.kr, which is the National Counter-Terrorism Center (NCTC) in South Korea. The timing is interesting because the NCTC was in the process of conducting physical antiterror drills in the region in preparation for the Olympic Games. The spoofed source of this email suggests the message is legitimate and increases the chances that victims will treat it as such.
Based on our analysis of the email header, this message did not come from NCTC, rather from the attacker’s IP address in Singapore. The message was sent from a Postfix email server and originated from the hostname ospf1-apac-sg.stickyadstv.com. When the user opens the document, text in Korean tells the victim to enable content to allow the document to be opened in their version of Word.
The malicious document with instructions to enable content.
The enable content message.
The document contains an obfuscated Visual Basic macro:
Visual Basic macro.
The malicious document launches a PowerShell script when the user clicks “Enable Content.” The document was created on December 27 at 15:52 by the author “John.”
The malicious document launches the following PowerShell script:
Manually executing the PowerShell script at the command line.
The script downloads and reads an image file from a remote location and carves out a hidden PowerShell implant script embedded within the image file to execute.
The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into the image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server. The following script can be identified as generated by Invoke-PSImage to execute the attacker’s implant in an image from a remote server.
The initial PowerShell script.
The image that contains the hidden PowerShell code.
To verify the usage of steganography, we employed the tool StegExpose to check the file:
The result confirms the presence of hidden data in our file.
Once the script runs, it passes the decoded script from the image file to the Windows command line in a variable $x, which uses cmd.exe to execute the obfuscated script and run it via PowerShell.
&&set xmd=echo iex (ls env:tjdm).value ^| powershell -noni -noex -execut bypass -noprofile -wind hidden – && cmd /C%xmd%
The extracted script is heavily disguised, using a combination of string-format operator obfuscation and other string-based obfuscation techniques.
The obfuscated PowerShell implant script.
The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.
Obfuscated control servers.
When we deobfuscate the control server URLs, the implant establishes a connection to the following site over SSL:
hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/login/process.php.
Based on our analysis, this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware. Ultimately this PowerShell implant will be set to automatically start daily at 2 am via a scheduled task (shown below). The view.hta contains the same PowerShell-based implant and establishes a remote connection over SSL to hxxps://200.122.181.63:443/components/com_tags/views/news.php.
C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 14:00 /TN “MS Remoute Update” /TR C:\Users\Ops03\AppData\Local\view.hta
The contents of view.hta.
During our research, we discovered a cached Apache server log for the IP address 81.31.47.101, which is shared hosting. This log contained information for the control server thlsystems.forfirst.cz, which showed an IP address from South Korea connecting to the specific URL paths contained in the PowerShell implants. This indicates that the implant was active in South Korea and targets were likely being infected.
Apache server log from December 29, 2017.
While investigating thlsystems.forfirst.cz we discovered that the webpage belongs to a legitimate entity, suggesting this is a compromised server being used as both an encrypted backchannel for the attacker and the distribution of implants. The server also hosts a copy of the obfuscated PowerShell implant.
The implant establishes an encrypted channel to the following URL path:
hxxps://www.thlsystems.forfirst.cz:443/components/com_tags/views/admin/get.php
An image from December 30, 2017.
When investigating the IP address from the PowerShell implant 200.122.181.63 we found a server in Costa Rica that resolves to mafra.go.kr.jeojang.ga. The domain jeojang.ga was registered via Freenom, a free anonymous domain provider. It appears the attacker is using parts of a domain that belong to the South Korean Ministry of Agriculture and Forestry, which is in line with the attached document name in the email, but this domain has nothing to do with this government agency.
A version of the malicious document from December 22 embedded the PowerShell implant directly into the Word document in the form of an HTA file. McAfee Advanced Threat Research analysts discovered another document that was hosted at this domain; its original title is 위험 경보 (전국야생조류 분변 고병원성 AI(H5N6형) 검출).docx, which also appears to come from the Ministry of Agriculture and Forestry. This document was created on December 22 by the same author, “John.” The document does not contain macros, rather OLE streams for the embedded HTA files. When the Korean-language docx icon is clicked, it launches the embedded HTA file Error733.hta. This file contains the same script code to launch the PowerShell implant as in the view.hta example.
An earlier malicious document that relies on OLE streams.
Conclusion
The basic method in this case, an in-memory implant using PowerShell along with obfuscation to avoid detection, is a common and increasing popular fileless technique used in cyberattacks. We have not previously seen this kind of attack targeting victims in South Korea.
The use of the steganography tool shows how quickly the adversary has adapted to new tools. On December 20, the tool Invoke-PSImage was released to the public and within seven days was tested and deployed in a campaign targeting organizations involved in the 2018 Pyeongchang Olympics.
With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information. In this case the adversary is targeting the organizations involved in the Winter Olympics by using several techniques to make it more tempting to open the weaponized document:
- Spoofed email address from South Korea’s National Counter-Terrorism Council
- Use of Korean language
- Asking users to open the content because the document is in protected mode
- Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent
The Advanced Threat Research team has discovered an increase in the use of weaponized Word documents against South Korean targets in place of the traditional use of weaponized documents exploiting vulnerabilities in the Hangul word processor software.
Indicators of compromise
SHA-1
- c388b693d10e2b84af52ab2c29eb9328e47c3c16
- 8ad0a56e3db1e2cd730031bdcae2dbba3f7aba9c
IPs
- 200.122.181.63
Domains
- thlsystems.forfirst.cz
- mafra.go.kr.jeojang.ga