TACTICAL CYBER INTELLIGENCE REPORT
**********CORRECTED COPY 15 JAN 18. DISREGARD ALL OTHERS**********
Actor Type: II
Serial: TR-18-014-001
Countries: All, KP, KR
Report Date: 20180114
Pyeongyang Olympics Volunteers Targeted with Malware
Wapack Labs observed two specimens of a macro-malware believed to be targeting volunteers at the 2018 Winter Olympics, Pyeongyang, South Korea. Two XLSM documents were uploaded to Virus Total from Korea in late November. The documents are trojanized versions of a benign XLS spreadsheet which is hosted on the official 2018 Winter Olympics website vol.pyeongchang2018.com[1].
The benign spreadsheet that was used to create the malicious documents contains logistic details for Olympic volunteers. This would suggest either Olympics volunteers or the Olympic Volunteer portal as the intended target. While the exact malware delivery mechanism is unclear, it is possible it may have been delivered on a spoofed version of the legitimate pyeongchang2018.com or in a targeted spear phish.
The files were named, 20171115_평창_자원봉사_직무_및_베뉴_소개.xlsm, which translates to “PyeongChang volunteer job and introduction.” The benign equivalent hosted on the Olympics website, is similarly named 평창_자원봉사_직무_및_베뉴_소개(17.12.04).xlsx. The malicious filetypes are XLSM files (Macro-Enabled Workbook), meaning they are configured to run macros automatically if they are not disabled. The embedded macro contains a crudely encoded powershell command.
This command contains another layer of base64 encoding:
The result is shellcode, which initiates an SSL call back. This exact technique was documented in 2016 on softwaregrp.com. [2]
The observed call-back is a Korean IP Address, 121.158.16.99 however, it was offline during sandoxing. Further analysis revealed the IP as hosting a fraudulent version of the Olympics domain: pyeongchang2018.or.kr. The actors used a Korean registrar and a Korean webmail for the registrant email. The registrant email, qotjdlf@hanmail.net, is linked to yet another fraudulent Olympics domain pyeongchang2018.kr. Both list a registrant name of, “BAESEOIL”.
|
Domain Name: pyeongchang2018.or.kr Administrative Contact(AC: BAESEOIL AC E-Mail: qotjdlf@hanmail.net Registered Date: 2017. 09. 18. Last Updated Date: 2017. 09. 18. Expiration Date: 2018. 09. 18. Publishes: N Authorized Agency: Whois Corp.(http://whois.co.kr) DNSSEC: unsigned Primary Name Server Host Name: ns1.whoisdomain.kr IP Address: 211.206.125.156
Secondary Name Server Host Name: ns2.whoisdomain.kr IP Address: 222.122.218.45 Host Name: ns3.whoisdomain.kr IP Address: 110.45.166.139 Host Name: ns4.whoisdomain.kr IP Address: 219.251.156.134
|
Indicators of Compromise:
MD5: 0c497e6b84251e3aea924a0ccb7e584b
1e9ccfd3b67c587644d30ede319f9f33
IP: 121.158.16.99
Domains: pyeongchang2018.or.kr
pyeongchang2018.kr
Conclusion:
Olympic themed attacks are likely to escalate leading up to the games in February. The attribution for this incident is unclear, however it is important to note that the leveraged IP address, registrar, and even registrant email is all based in Korea. This would either indicate a Korean-based actor, or a higher level of tradecraft and attention to detail which is a hallmark of state-sponsored activity.
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com
Comments