The group behind the malware dubbed Olympic Destroyer, which plagues the Korean Winter Olympics at the start of the year, seem to have upgraded their arsenal. Researchers at Check Point believe the group is in the process of an evolutionary shift in terms of tactics and execution. Researchers over the past few weeks have witnessed new activity by the group called Hades. By analyzing samples previously observed by other researchers and the newly discovered samples researchers have attempted to create a more up to date summary of the group’s tactics. For advanced persistent threat (APT) groups a month is a long time and more than enough time to change tactics. It has been approximately nine since Olympic Destroyer made international headlines.
The incident in question occurred just before the opening ceremony of the Winter Olympics hosted by South Korea. The attack caused the official games website to go dark. In addition, television sets and Internet-related systems at the games were also disrupted for roughly 12 hours. The attack was dubbed Olympic Destroyer, with many believing it was a result of the banning of Russia and its athletes from competing in the games under the Russian flag. The decision to ban Russia was a result of the country’s involvement in a state-sponsored doping campaign. For many within the InfoSec community, the Olympic Destroyer attack was in retaliation of the banning decision.
At the time Kaspersky Labs said spear phishing emails were likely the initial attack vector and this later led to a connection with Hades, an APT known for using publicly available tools for reconnaissance and subsequent attacks. For many, it was assumed that would be the end of Olympic Destroyer if not the end of Hades. That was not to be, in June 2018 Kaspersky Labs published another article suggested otherwise.
Since the Winter Olympics, the malware again was seen in spear phishing attacks using weaponized documents similar in appearance to those used previously. In the later incidents, Olympic Destroyer was seen targeting financial institutions in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine. Although targeting different targets than before, the malware still used the same methods to evade detection. That been mainly the use of a non-binary infection vector dependant on executing through PowerShell.
According to the article published by Check Point, “This new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group.” The newer selection of gathered by Check Point revealed a refinement of the tools used previously. In particular, the macros which in the past have been embedded in malicious documents spread via phishing campaigns. Researchers noted that in the original campaign the macros only used subtraction encoding, but now they have been improved with Hex2Text encoding and dummy functions. These will further make detection and remediation harder.
It is not only the macros which boast new functions. The functionality of the PowerShell elements has been upgraded with better script builders and launch processes. In the past droppers used by Hades executed a PowerShell script via cmd.exe and downloading a set of scripts for the execution of other payloads. A new dropper detected by researchers seems to have changed the tried and tested method. First uncovered in Ukraine, the dropper does lean on the same coding styles linked to previous droppers, but also introduces antivirus-circumventing obfuscation techniques such as delayed execution protocols.
The new dropper has also been further modified to avoid analysis by security teams and will hide network activity and processes in sandbox environments. In a real-world scenario this function will work by checking to see if at least 40 processes are running on a system before executing as sandbox environments will often only use a handful of processes. It is hoped in this scenario that the malware will be able to hide in the sheer amount of processes been dealt with. Check Point has confirmed the effectiveness of such a tactic, saying, “…popular online sandboxes failed to see any launched processes or network activity, and with some, the dropper appeared to be totally benign.” While impressive Hades did not stop there and included more functions. The malware can now drop files to disk, setup morning scheduled tasks to maintain persistence, use obfuscation to hide PowerShell script execution, and makes use of lesser-known triggers related to Word ActiveX objects rather than standard triggers to avoid detection. Making for a far greater threat that is certainly more than the sum of its parts.
Researchers concluded that,
“Hades shows no signs of slowing down their operation, as their capabilities are growing alongside their victims list. Every time Hades introduced a new dropper iteration, only a small amount of AV vendors could successfully detect them as malicious. This fact makes it more than likely that most of Hades' operations remain under the radar.”
This should be seen as a warning shot fired for those organizing the next Olympic Games in Tokyo. With the latest government appointments in Japan regarding the matter doing little to increase confidence. Japan’s cybersecurity minister stunned much of the globe with his admission to never using a PC. While not being a slave to technology is an admirable trait, it is commonly expected that those in charge of tech-heavy portfolios be at least competent. Yoshitaka Sakurada appeared confused when asked about basic technologies. In a press conference, the minister was asked if nuclear power plants allowed the use of USB drives, a common technology widely considered to be a security risk, Mr. Sakurada did not seem to understand what they were. One can only hope that those working below the minister brief him thoroughly of the threat posed by Hades and other APTs.