Pyeongyang Olympics Volunteers Targeted with Malware

 

TACTICAL CYBER INTELLIGENCE REPORT

**********CORRECTED COPY 15 JAN 18. DISREGARD ALL OTHERS**********

Actor Type: II
Serial: TR-18-014-001
Countries: All, KP, KR
Report Date: 20180114

Pyeongyang Olympics Volunteers Targeted with Malware

Wapack Labs observed two specimens of a macro-malware believed to be targeting volunteers at the 2018 Winter Olympics, Pyeongyang, South Korea.  Two XLSM documents were uploaded to Virus Total from Korea in late November.  The documents are trojanized versions of a benign XLS spreadsheet which is hosted on the official 2018 Winter Olympics website vol.pyeongchang2018.com[1].

The benign spreadsheet that was used to create the malicious documents contains logistic details for Olympic volunteers. This would suggest either Olympics volunteers or the Olympic Volunteer portal as the intended target. While the exact malware delivery mechanism is unclear, it is possible it may have been delivered on a spoofed version of the legitimate pyeongchang2018.com or in a targeted spear phish.

The files were named, 20171115_평창_자원봉사_직무_및_베뉴_소개.xlsm, which translates to PyeongChang volunteer job and introduction.”   The benign equivalent hosted on the Olympics website, is similarly named 평창_자원봉사_직무_및_베뉴_소개(17.12.04).xlsx.  The malicious filetypes are XLSM files (Macro-Enabled Workbook), meaning they are configured to run macros automatically if they are not disabled.  The embedded macro contains a crudely encoded powershell command.

This command contains another layer of base64 encoding:

The result is shellcode, which initiates an SSL call back.  This exact technique was documented in 2016 on softwaregrp.com. [2]

The observed call-back is a Korean IP Address, 121.158.16.99 however, it was offline during sandoxing.  Further analysis revealed the IP as hosting a fraudulent version of the Olympics domain: pyeongchang2018.or.kr.  The actors used a Korean registrar and a Korean webmail for the registrant email.  The registrant email, qotjdlf@hanmail.net, is linked to yet another fraudulent Olympics domain pyeongchang2018.kr. Both list a registrant name of, “BAESEOIL”.

 

Domain Name: pyeongchang2018.or.kr

Registrant : BAESEOIL

Administrative Contact(AC: BAESEOIL

AC E-Mail: qotjdlf@hanmail.net

Registered Date: 2017. 09. 18.

Last Updated Date: 2017. 09. 18.

Expiration Date: 2018. 09. 18.

Publishes: N

Authorized Agency: Whois Corp.(http://whois.co.kr)

DNSSEC: unsigned

Primary Name Server

   Host Name: ns1.whoisdomain.kr

   IP Address: 211.206.125.156

 

Secondary Name Server

   Host Name: ns2.whoisdomain.kr

   IP Address: 222.122.218.45

   Host Name: ns3.whoisdomain.kr

   IP Address: 110.45.166.139

   Host Name: ns4.whoisdomain.kr

   IP Address: 219.251.156.134

 


Indicators of Compromise:

MD5:          0c497e6b84251e3aea924a0ccb7e584b
                  1e9ccfd3b67c587644d30ede319f9f33

IP:             121.158.16.99

Domains:   pyeongchang2018.or.kr
                  pyeongchang2018.kr

Conclusion:

Olympic themed attacks are likely to escalate leading up to the games in February. The attribution for this incident is unclear, however it is important to note that the leveraged IP address, registrar, and even registrant email is all based in Korea. This would either indicate a Korean-based actor, or a higher level of tradecraft and attention to detail which is a hallmark of state-sponsored activity. 

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!