Winter Olympics Organizers targeted in latest Spear Phishing Spam Campaign using Power Shell Malware
Posted on : February 5 , 2018
During our research, we came across a spear phishing campaign targeting the organizers of 2018 Winter Olympics. The campaign employs various obfuscation techniques and steganography to deliver malicious payload.
Some of the intended recipients that we believe were targeted are:
The email has spoofed sender to make it look like it was sent from firstname.lastname@example.org (South Korea’s National Counter-Terrorism Center). But on inspecting the headers, we found that sender email is spoofed. The email was sent from a server with IP address as 126.96.36.199 (hostname ospf1-apac-sg.stickyadstv.com), located in Singapore. The email was sent on 28thDecember 2017. Based on open source reporting (https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/), a different version of campaign was also discovered on 22ndDecember.
Malicious Document / Technical Analysis
The email contained a word file as attachment with name “농식품부, 평창동계올림픽대비축산악취방지대책관련기관회의개최.doc” (SHA256: 41ce9e7c8ec4a5f399247d26087a37ad13b4fc8fc9ee62a1d2211b743b2f403a).The file name translates to “Organized by Ministry of Agriculture and Forestry and held in Pyeongchang Winter Olympic Games”, kept for luring thevictim to check the document’s content.
Once opened, the Word file urges the user to “Enable Content”so they can view the content.Once the user clicks the button, the document then proceeds to run the following obfuscated macro code:
The above malicious document macroexecutes following PowerShell code:
The code when executed, downloads a PNG file from hxxps://www.thlsystems.forfirst[.]cz/images/adv_s3.png.
The image containsPowerShell code embedded inside a PNG file using a recently released (on December 20) open source tool – Invoke-PSImage(https://github.com/peewpw/Invoke-PSImage).By modifying the above code, we can get following obfuscated PowerShell code:
The above script then beacons to the C&C server athxxps://www.thlsystems.forfirst[.]cz/components/com_tags/views/login/process.php, and evaluates the received response directly using PowerShell. The above code also downloads implants from hxxps://www.thlsystems.forfirst[.]cz/components/com_tags/views/access_log and hxxp://200.122.181[.]63/os. These 2 scripts are then scheduled to run daily as scheduled tasksnamedasWindowsMediaServiceCore and WindowsMediaServiceCoreInitat 3PM and 11AM, respectively.
While investigating the IP (200.122.181[.]63) from one of the implants, resolved to domain mafra.go.kr.jeojang.ga.The domain jeojang.ga was registered using Freenom, a free anonymous domain provider. If we look closely at the subdomains, we notice that the subdomains were kept this way to resemble South Korean Ministry of Agriculture and Forestry’s website – mafra.go.kr.The malicious domain is not linked to the South Korean ministry’s domain in any way.
The interesting thing to note is attackers using the recently released Invoke-PSImageopensource tool, which was released on December 20. This spear phishing email was sent on 28th December, which shows that attackers tested and deployed the tool within 7 days of its release. Previous examples of attackers misusing opensource security tools are related to Empire framework, Mimikatz, BeEF, Nishang post-exploitation framework, etc.
With Winter Olympics coming close, we expect that the actors will be targeting people using Olympics-themed spams.
Indicators of Compromise: