Olympic Destroyer Returns with Improved Arsenal
The hacker group that attacked the 2018 Winter Olympic Games IT infrastructure is still active and has recently been observed attacking organizations with an improved malware strain.
The infrastructure at the Winter Olympic Games in Pyeongchang, South Korea, was briefly disrupted by an attack that used disk-wiping malware. Dubbed Olympic Destroyer, the malware contained some elements that caused security firms to initially attribute the attack to Lazarus, a hacker group associated with the North Korean government that launched destructive attacks in the past, especially in South Korea.
However, later analysis revealed that the similarities were intentionally introduced by Olympic Destroyer’s creators to mislead security researchers. The malware is now attributed to a group dubbed Hades that has since attacked organizations in Russia and Europe.
The latest samples, analyzed by security researchers from Check Point Software Technologies, come from Ukraine and were uploaded to the VirusTotal scanner in October. They prove that the group has made significant improvements, particularly to the first-stage dropper.
“The samples we found indicate once again that the group is aware of the various studies made surrounding its activities and is working to make it difficult for the various research bodies to identify its attacks and attribute them to it,” the researchers said in a report.
For one, Hades has improved the malicious macros in the phishing Word documents that are used as an infection vector. They have introduced anti-analysis features such as delayed execution and sandbox detection.
The victims are first presented with what appears to be a blank document and are asked to enable macros execution. When they do, the text color switches from white to black to give the appearance that enabling macros was necessary to display the content.
In the background, however, a complex infection process begins. First, the macro code iterates through the processes running on the system to identify known malware analysis tools. If such tools are found, or if the number of running processes is fewer than 40—a tell-tale sign of a sandbox environment—the malware execution stops.
However, if the process check is cleared, the macro code drops an HTA (HTML Application) file and creates a scheduled task to execute that file every day at 10:20 a.m. The purpose of this delayed execution is to trick automated analysis systems, which execute suspicious files then record their behavior over a limited timeframe.
When the HTA is run by the scheduled task it executes a PowerShell script, which then downloads the second-stage payload. The researchers have not yet been able to obtain or analyze this payload.
“Hades shows no signs of slowing down their operation, as their capabilities are growing alongside their victims list,” the Check Point researchers said. “The threat actors’ latest activity presented us with a new, previously unseen variant of their dropper, which introduced a deviation from their regular first stage TTPs [Tactics, Techniques and Procedures].”
DarkGate: A Sophisticated Cryptomining and Ransomware Combo
Security researchers have detected a new sophisticated threat that can bypass antivirus detection and delivers a combination of payloads from cryptomining to cryptocurrency wallet stealing, ransomware and remote access control.
Dubbed DarkGate, the new threat has been observed in Spain and France and is distributed through torrent files. It targets Windows systems and hides its command-and-control (C&C) communication in DNS records from legitimate content delivery networks including Akamai and AWS.
According to a report from enSilo, DarkGate “uses multiple methods for avoiding detection by traditional AV using vendor-specific checks and actions including the use of the process hollowing technique.”
The malware is also capable of preventing recovery tools from eliminating it from the system and uses two different techniques to bypass the Windows User Account Control (UAC) and gain elevated privileges.
“The enSilo research team tracked ‘DarkGate’ and its variants and discovered that most AV vendors failed to detect it,” the researchers said. “It is clear that DarkGate is under constant development for it is being improved with every new variant. Further investigation is required to determine the ultimate motivations behind the malware. While cryptocurrency mining, crypto stealing and ransomware capabilities suggest the goal is financial gain, it’s not clear if the author has another motive.”
