TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: III

Serial: TR-18-033-003

Countries: All

Report Date: 20180202

 

2018 Winter Olympics Volunteers Hit with AZORult

The XXIII Olympic Winter Games, hosted in PyeongChang, South Korea, commence on 9 February 2018.  Wapack Labs observed two compromised individuals, infected with AZORult malware, logging into the official Olympic Winter Games portal, pyeongchang2018.com.[1]  AZORult is a Trojan horse which steals information from a compromised system.  After installation, AZORult begins looking for sensitive data; browser cookies, usernames and passwords, system information, and autocomplete fields.[2]

Analysis 

Barbara Barito, a Brazilian native, registered as a volunteer for the 2016 Rio Summer Olympics and the 2018 Winter Olympics using the e-mail address barbaracsbrito@gmail.com. Her login credentials for the following portals were compromised by AZORult:

  • pyeongchang2018.com/en/sso/user/memberinfo/join
    • 2018 Winter Olympics Official portal
  • rio2016.com
    • 2016 Rio Olympics Official portal
  • sefaz.am.gov.br
    • Amazon State Fiscal Citizenship Program
  • aades.am.gov.br
    • Amazon Agency for Economic and Social Development (AADES)


Figure 1. Barbara Brito’s Twitter and Facebook Page for barbaracsbrito@gmail.com

 

Figure 2 (below) is a forum post created by Barbara Brito on Maria Carambola’s WordPress[3] website regarding the distribution of e-book versions of the Outlander series.

 Figure 2. Barbara’s Post Confirming E-mail Address: barbaracsbrito@gmail.com

 

The observed attacker IP Address, 5.101.1.38, is located in Saint Petersburg, Russian Federation.  The latest detected file that communicates with this IP Address contains the Spyeyes Trojan, which has a VirusTotal rating of 39/67.

 Figure 3. SHA-256: e9d2b6a6eb69365a36595081f68567b590324da5a2cb2ac6da503a85687ba9f6

A second victim, Shahid Marri, email: shahidmarri@gmail.com, logged into the 2018 Winter Olympics Volunteer portal, volunteer.pyeongchang2018.com/ESIREG/ NewFormRequest.do on a machine compromised by AZORult.  The attacker IP Address, 195.3.207.69, is located in Kiev, Ukraine and communicates with a file containing the Spyeyes Trojan, which has a VirusTotal rating of 45/60.

 Figure 4. 2018 Winter Olympic Volunteer Portal[4]

 Figure 5. SHA-256: fd714bc6fa5df7cfe8289525795d6905421e0676a4ae4f51350836047a964a1e

Shahid Marri is located in Pakistan near the Industrial Area.  The victim IP Address is 103.228.158.205. The following domain login credentials were compromised from victim’s computer (HAIER-PC “Sharry”) – usernames and passwords:

  • courses.edx.org
  • pg.taleo.net
  • dropbox.com
  • tracking.dgip.gov.pk
    • Government of Pakistan Ministry of Interior Directorate General of Immigration & Passports: Online Passport Tracking System
  • volunteer.pyeongchang2018.com
    • Official 2018 Winter Olympics Volunteer portal
  • microsoftonline.com
  • taleo.net
  • yahoo.com
  • facebook.com

 

Figure 6. 24.9056, 67.0822: Shahid Marri’s Location in Pakistan

Conclusion

Wapack Labs is conducting additional research into the abilities of AZORult malware. Olympic themed attacks are likely to increase.  Attribution is unclear.  The United States Computer Emergency Response Team (US-CERT) recommends several security measures to put into action, whether attending the games or registering an account on the official website in order to follow the games more closely: switch off wifi and Bluetooth, pay with a credit card, update computer and mobile software, use strong passwords and PINs, and do not open attachments or e-mails from unknown sources.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com

 

Prepared:     Brent Davis
Reviewed:    B. Schenkelberg
Approved:    J. Stutzman

 

[1] https://www.pyeongchang2018.com/en/index

[2] https://blog.threatstop.com/xbot-hawkeye-and-azorult-three-malware-families

[3]https://mariacarambola.wordpress.com/2015/05/08/outlander-a-serie-e-os-livros/

[4] https://volunteer.pyeongchang2018.com/ESIREG/login.do?language=0

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance