« Back to Blog

This Week in Security: The Olympics Gets ‘Meddled’ With

By Cylance Research and Intelligence Team

In this day and age, no large public event is off limits from some form of attack or compromise. The Olympic games are certainly no exception here. From well-crafted phishing lures (which start well before the actual games) to outright malicious and destructive attacks, we have seen the whole range during past Olympic games.

The same holds true for the current Olympic games in Pyeonchang. News of a cyber ‘event’ quickly spread early this week in the form of an outage which affected availability of the official Pyeongchang 2018 website, media services in the main Olympic press center, and wireless services in the Pyeonchang Olympic stadium.

With news and data quickly circulating, the event was ultimately connected to a destructive malware campaign dubbed “Olympic Destroyer.” Little is known or disclosed regarding the initial infection vector.

Primary characteristics of the malware components include:

•    Lateral movement via WMI and PsExec
•    Destroys local logs and VSS data
•    Contains hardcoded credentials (specific to the target environment)
•    Credential stealing mechanism is supplemented by stolen credentials acquired via browser-based credential stealer and a Mimikatz-like stealer (LSASS based)

NOTE: Some firms were initially reporting the use of the ETERNALROMANCE SMB exploit within Olympic Destroyer. Those reports (including tweets from Microsoft) have since been withdrawn as further analysis shows no use of the flaw in currently circulating samples.


Based on current analysis, the primary goal is destruction and disruption. Our team is continuing to monitor and analyze this situation.

There are some important points to stress here. Attribution and true intent are often complex and unfold over time. Jumping to conclusions around ‘who’ is behind this attack and ‘why’ (this early in the timeline) does little to further the discourse. If history is any guide, this event is not solitary but rather a small piece of a larger campaign that will unfold over time. It is equally possible that this highly visible event was a distraction to divert attention from other more severe events.

Bottom line… we all need to be patient, avoid foredrawn conclusions, and allow official investigations to proceed.

IOCs (SHA256)

3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef - PsEXEC

Delivering Malware via Telegram

The popular encrypted Messaging application, Telegram, recently released an update to address a flaw, which allowed the remote distribution of malware via the improper handling of specific Unicode characters. This flaw allowed attackers to trick victims into opening what appears to be a “safe” file but is actually malicious JavaScript.

It is believed that this flaw was actively exploited between March and October 2017 (when the flaw was discovered and reported to Telegram). Attacks leveraging this flaw have successfully implanted multiple types of malware on target hosts, the most common of which are RATs, cryptocurrency miners, and generic multifunction trojans.

While some have disputed the validity of the flaw, Telegram has already issued a fix.

The flaw relied heavily on social engineering and user interaction. Even with the malicious file types being disguised, the target user still had to click on it AND agree to allow it to execute (which should be a tip-off that it is executable code and not a benign image). While that may be true, it is also true that the attack was being successfully exploited and the attacks did work, leading to infected and compromised users.

So, in that light, cheers to Telegram for issuing a fix and keeping users that much more safe.

New Bytes from the HIDDEN COBRA

On February 13, the US-CERT, through multiple public channels, issued updates on specific malicious activity attributed to the North Korean Government. Two Malware Analysis Reports (MAR) were released covering specific details around HIDDEN COBRA/ HARDRAIN/ BADCALL activity.

The full MAR reports (MAR-10135536-G and MAR-10135536-F) have been posted on the US-CERT site, including STIX documents.

MAR-10135536-B (HARDRAIN) contains details covering two Windows-based executables (proxy servers) along with an Android-based (ELF) Remote Administration Tool, or RAT. MAR-10135536-G (BADCALL) describes two Windows-based proxy executables and another type of Android RAT (APK).






Additional IOCs and YARA rules are available in the full MARs on the US-CERT site.

CylancePROTECT® prevents execution of threats associated with the Olympic Destroyer and HIDDEN COBRA as described in this post. Believe the math!