The espionage campaign against Winter Olympics targets has widened its net, with several second-stage implants providing attackers with top-tier spyware capabilities and the ability to achieve permanent persistence on victim machines.
McAfee's Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The gambit used a targeted spear-phishing email with a malicious document attached, which was sent to 333 victim organizations. Once executed, the document paved the way for a basic PowerShell implant that established a channel to the attacker’s server to gather system-level data and that employed image steganography techniques to hide.
“What was not determined at that time was what occurred after the attacker gained access to the victim’s system,” McAfee researchers said.
McAfee ATR has now discovered that additional implants are being used as a second-stage payload in the Olympics-related attacks, used to gain persistence for continued data exfiltration and for targeted access: Gold Dragon, Brave Prince, Ghost419, and Running Rat, all named for phrases found in their code.
“The implants covered in this research establish a permanent presence on the victim’s system once the PowerShell implant is executed,” McAfee said. “The implants are delivered as a second stage once the attacker gains an initial foothold using file-less malware. Some of the implants will maintain their persistence only if Hangul Word, which is specific to South Korea, is running.”
The Gold Dragon Korean-language implant was first seen on Christmas Eve.
“The Gold Dragon malware appears to have expanded capabilities for profiling a target’s system and sending the results to a control server,” McAfee said. “[It] acts as a reconnaissance tool and downloader for subsequent payloads of the malware infection and payload chain. Apart from downloading and executing binaries from the control server, Gold Dragon generates a key to encrypt data that the implant obtains from the system.”
Brave Prince meanwhile gathers detailed logs about the victim’s configuration, contents of the hard drive, registry, scheduled tasks, running processes and more; Ghost419 is also a system reconnaissance malware and shares code with Gold Dragon. Stealing keystrokes is the main function of RunningRat; however, it contains code for more extensive functionality, including copying the clipboard, deleting files, compressing files, clearing event logs, shutting down the machine and much more. It’s unclear how the additional code could be executed.
“With the discovery of these implants, we now have a better understanding of the scope of this operation,” researchers said. Gold Dragon, Brave Prince, Ghost419 and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics.”
McAfee said that a North Korean threat actor is likely behind the attacks.