Security researchers have uncovered a sophisticated phishing campaign targeting organizations involved in the Pyeongchang Olympics with a weaponized Word doc, and using a range of obfuscation techniques to fly under the radar.
The malicious document is written in fluent Korean and named “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”, according to McAfee.
It was aimed at a number of organizations providing infrastructure and support for the games, and was spoofed to appear to come from South Korea’s National Counter-Terrorism Center (NCTC), when in fact the IP address is in Singapore.
When the user clicks “Enable Content” in the doc, it launches a hidden PowerShell script.
“The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into [an] image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server,” explained McAfee researchers Ryan Sherstobitoff and Jessica Saavedra-Morale.
“The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.”
The attackers used the implant to establish an encrypted channel to a remote server, allowing them to execute commands on the victim’s machine and potentially download additional malware.
The researchers discovered an IP address in South Korea connecting to the URL paths detailed in the PowerShell implants, leading them to believe several targets have been infected.
McAfee also discovered another version of the attack, in which the PowerShell script was implanted directly in the Word doc in the form of an HTA file.
“The document does not contain macros, rather OLE streams for the embedded HTA files”, the blog continued. “When the Korean-language docx icon is clicked, it launches the embedded HTA file Error733.hta. This file contains the same script code to launch the PowerShell implant as in the view.hta example.”
The researcher warned that this is likely to be one of many attacks targeting Winter Olympics organizations or using Olympics-related themes as the games draws near.
Back in November, Panda Security warned that 2018 would see an increase in fileless attacks and PowerShell to bypass traditional security filters.