First shots at South Korea could herald malware campaign of Olympic proportions

Russia, Norks and dog lovers all potential perps, say pundits

By John Leyden


A malware campaign has been unleashed against organisations involved with next month's Pyeongchang Winter Olympics.

An email1 with a malicious Microsoft Word document attached was sent to a number of groups associated with the event, most of them targeting ice hockey organisations.

"The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script," security firm McAfee reported. "They also wrote custom PowerShell code to decode the hidden image and reveal the implant."

The attackers appear to be casting a wide net, with several South Korean organisations included in the spam run. The majority of these had some link to the Olympics, either by providing infrastructure or in a supporting role.

Global gatherings such as the Olympics – where world leaders, businesses and governmental organisations converge on one location – make them a naturally attractive target for cyberspies. Travelling VIPs can be easier to target when they are abroad using a variety of techniques.

Threat intel firm Anomali warned that the malware incident is a just a taste of what might be in store. South Korea is a frequent target of hacks and North Korea, Russia and China might all look to exploit vulnerabilities when the world's focus is on the nation.

Using hotel Wi-Fi to spy on executives and people of interest is a likely scenario. DarkHotel and the Russian APT28 have both reportedly engaged in such shenanigans and similar activity was associated with the Sochi Olympics in Russia four years ago.

Phishing lure techniques, such as links promising live streaming of Olympic events, could form the basis of attacks by regular cybercrooks slinging ransomware and other crud as well as spies.

Recent activity from Fancy Bear's Hack Team and other hacktivist groups might lead to campaigns directed against the International Olympic Committee (IOC) and the Olympics in general. This may be because of the decision to ban Russian athletes from participating under the national flag, something already attributed as the motive behind attacks against the World Anti-Doping Agency.

Last but not least, animal welfare groups could stage a protest and/or boycott over South Korea's dog and cat meat trade. Twitter chatter on this topic is already taking place and may be a harbinger of things to come, Anomali cautioned.

Many sponsors and partners of the games have already experienced hacks and this is another area of potential concern:

Some of the attacks have been attributed to Kimsuky (North Korea), RGB (North Korea), APT3 (China), and Nexus Zeta, Anomali said.


1The original file name was 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc ("Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics").

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

North Korea's antivirus software whitelisted mystery malware

'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto

Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware

How it all happened (clue: unsigned library loaded)

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed taken down by Europol plod and chums

Russia to Apple: Kill Telegram crypto-chat – or the App Store gets it

We know you’re busy, Mr Cook, but please reply before we become … unpleasant

Patch out for 'ridiculous' Trend Micro command execution vuln

Password Manager, Maximum Security and Premium Security are all at risk

In World Cup Russia, our Wi-Fi networks will log on to you!

Researchers warn of shady hotspots in host cities