TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: III
Report Date: 20180202
2018 Winter Olympics Volunteers Hit with AZORult
The XXIII Olympic Winter Games, hosted in PyeongChang, South Korea, commence on 9 February 2018. Wapack Labs observed two compromised individuals, infected with AZORult malware, logging into the official Olympic Winter Games portal, pyeongchang2018.com. AZORult is a Trojan horse which steals information from a compromised system. After installation, AZORult begins looking for sensitive data; browser cookies, usernames and passwords, system information, and autocomplete fields.
Barbara Barito, a Brazilian native, registered as a volunteer for the 2016 Rio Summer Olympics and the 2018 Winter Olympics using the e-mail address firstname.lastname@example.org. Her login credentials for the following portals were compromised by AZORult:
- 2018 Winter Olympics Official portal
- 2016 Rio Olympics Official portal
- Amazon State Fiscal Citizenship Program
- Amazon Agency for Economic and Social Development (AADES)
Figure 1. Barbara Brito’s Twitter and Facebook Page for email@example.com
Figure 2 (below) is a forum post created by Barbara Brito on Maria Carambola’s WordPress website regarding the distribution of e-book versions of the Outlander series.
The observed attacker IP Address, 18.104.22.168, is located in Saint Petersburg, Russian Federation. The latest detected file that communicates with this IP Address contains the Spyeyes Trojan, which has a VirusTotal rating of 39/67.
A second victim, Shahid Marri, email: firstname.lastname@example.org, logged into the 2018 Winter Olympics Volunteer portal, volunteer.pyeongchang2018.com/ESIREG/ NewFormRequest.do on a machine compromised by AZORult. The attacker IP Address, 22.214.171.124, is located in Kiev, Ukraine and communicates with a file containing the Spyeyes Trojan, which has a VirusTotal rating of 45/60.
Figure 4. 2018 Winter Olympic Volunteer Portal
Shahid Marri is located in Pakistan near the Industrial Area. The victim IP Address is 126.96.36.199. The following domain login credentials were compromised from victim’s computer (HAIER-PC “Sharry”) – usernames and passwords:
- Government of Pakistan Ministry of Interior Directorate General of Immigration & Passports: Online Passport Tracking System
- Official 2018 Winter Olympics Volunteer portal
Figure 6. 24.9056, 67.0822: Shahid Marri’s Location in Pakistan
Wapack Labs is conducting additional research into the abilities of AZORult malware. Olympic themed attacks are likely to increase. Attribution is unclear. The United States Computer Emergency Response Team (US-CERT) recommends several security measures to put into action, whether attending the games or registering an account on the official website in order to follow the games more closely: switch off wifi and Bluetooth, pay with a credit card, update computer and mobile software, use strong passwords and PINs, and do not open attachments or e-mails from unknown sources.
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or email@example.com
Prepared: Brent Davis
Reviewed: B. Schenkelberg
Approved: J. Stutzman