McAfee, the leading security software company has discovered a malware that act as the second-stage payload in a phishing campaign in most of the organizations that are associated with the 2018 Winter Olympics, scheduled to take place from 9 to 25 February 2018 in Pyeongchang County, South Korea.
McAfee’s Advanced Threat Research team discovered and analyzed the implants that enter the phishing targets’ system by installing an initial Power Shell backdoor. This is the latest update on previously revealed phishing campaign the main purpose of which was to create back doors whenever a victim or the targeted system opens up a Microsoft Word document attachment.
The security software company has labelled these implants as Brave Prince, Ghost 419, Gold Dragon and Running Rat. McAfee said that once the initial backdoor is installed, these new implants get stick to the system resulting in siphoning the information from that system(s). According to McAfee, here is what these implants affect:
Brave Prince and Ghost419- Read and collect content from the targeted systems’ hard drive along with other detailed information about the computer
Running Rat- A Remote Access Trojan collects keystrokes and clipboard information. It also deletes and compresses files, turn off the system, clear event history and do a lot more.
Gold Dragon- This implant initiates the downloading of subsequent malware payloads
The McAfee researchers also said that probably there is no way for Running Rat’s code to be executed. Ryan Sherstobitoff, Senior Analyst with McAfee Advanced Threat Research told Cyber Scoop in an email that with the help of these implants, the attackers can access any information from the victim’s system. “By revealing these plants, we can now deeply understand the scope of the entire operation. These four implants depict a much wider campaign than already discovered ones. The continuous data exfiltration
Sherstobitoff and co-author Jessica Saavedra-Morales said in their report that “the continuous data ex-filtration we observe from these four implants can give the attacker a huge advantage during 2018 winter Olympics. The earlier reported backdoor is installed utilizing code that is implanted in the pixels of a hidden image file.
The attack is then embedded through a Word document that seems to be from the South Korea National Counter- Terrorism Center. In its earlier research, McAfee said that this Word document was emailed to a number of organizations in South Korea with some organizations directly linked to the Olympics 2018. The main email address was “icehockey@pyeongchang2018/com” with other groups on the BCC line.
The phishing campaign earlier reported is seem to be performed by an organization instead of a sole person, told Sherstobitoff to CyberScoop earlier. However, he is now saying that it is yet not clear who the organization is. Sherstobitoff also said that “Attribution is cumbersome, and technical research alone has failed to provide enough data to certainly tell what group is behind an attack. Government and law enforcement agencies have resources the private sector does not, thus are in unique positions to make attribution assessments with confidence.”
Cyber security is preparing to deal with all the issues when it comes to the 2018 Winter Olympics. The responsibilities of such attacks have taken by a Russian hacking group Fancy Bear, or APT 28. The group has also been observed active in other attacks related to the Olympics. The U.S Computer Emergency Readiness Team has issued an alert to remind all the Americans travelling to Pyeongchang to be aware of the security of their devices as we as personally identifiable information.
Follow this link for more information McAfee.com/activate