2018 Winter Olympics Phishing Campaign Hides Evil Script in Image

2018 Winter Olympics Phishing Campaign Hides Evil Script in Image

Hackers are targeting companies that provide infrastructure support for the 2018 Winter Olympics in Pyeongchang, South Korea.

Using a custom built, previously unseen design, the attacks use a fileless malware aimed at taking control of the infected machine.

The attack, delivered via phishing emails, looks like alerts from the country's National Counter-Terrorism Center with a malicious Word document attached. Future attacks could be using any social engineering tricks.

The attack dubbed 'Operation PowerShell Olympics', because individuals associated with the ice hockey tournament at the Games have received them . Researchers at McAfee Labs, uncovered it taking place in late December.

The attacks begin with emails designed to look as if they come from the South Korean National Counter-Terrorism Center.  They have a spoofed, authentic looking email address. By spoofing the email address in this way, the messages look like they're official NCTC communications. In fact researchers believe they come from an IP address in Singapore.

These phishing emails, sent in Korean, contain a brief message talking about a report from a South Korean government agency and the Pyeongchang Olympics. The emails point the potential victim towards an attached Word document.  The Word doc has a file name that translates as 'Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics'.

All of this probably doesn’t have a lot to do with us as we don’t typically read Korean.  But ---- If opened, the document tells the user they must click to enable content, which if they do, allows the macros for installing the malware to run via a hidden PowerShell script.

Here's where things get interesting...

"This particular malware has not been seen before and it is something custom that was created by the attacker," Ryan Sherstobitoff, senior analyst at McAfee Advanced Threat Research.

Why this attack is different:

Its use of a brand new PowerShell tool called Invoke-PSImage. This tool allows attackers to hide malicious scripts in the pixels of otherwise benign-looking image files, and later execute them directly from memory.

How that's dangerous:

Hiding the script inside an image file helps it evade detection. Then it executes directly from memory, so it is a fileless malware technique. Typically traditional antivirus solutions don't pick it up.

So no download necessary:

That means, downloading an image onto a machine isn't necessary to run the embedded script.

This attack is another troubling example of how attacks are evolving away from using malicious .exe's.

In the past, we've seen many attacks that follow a preset pattern.

In these scenarios, traditional antivirus solutions have a chance of scanning and blocking the attack, even if at the very last step.This new malware campaign presents an even worse scenario in which the AV doesn't have that opportunity.

With no malicious executable file to scan, this attack can easily succeed unless other protections are in place. Here are a few things you can do to reduce your risk of attacks like this:

  • Train employees  Do not to open email attachments from senders they don't know. Be especially wary of Word documents that ask them to enable content/macros.
  • Enforce stricter macro controls: For starters, consider blocking macros in Office files downloaded from the internet.
  • Disable or restrict PowerShell: Disable PowerShell if it isn't being used for something vital on a machine. If it is being used for something vital, consider using PowerShell Constrained Language Mode. That will limit PowerShell to its most basic functionality and make many fileless attack techniques unusable.

As always, to avoid falling victim to such attacks -- including fileless malware distributed as part of Operation Powershell Olympics -- organizations should educate their employees.   Be mindful of suspicious emails and unexpected attachments.

With our partner KnowB4, we help small to medium businesses in VA and DC, learn to spot these attacks.