South Korean flag
South Korean flag

The opening ceremony for the Pyeongchang Winter Olympics in South Korea are still a month away, but cybercriminals have already started using them as part of their social engineering plans in several phishing attacks aimed at groups involved with the games.

The attack centers around emails containing malicious Word documents, but a McAfee Advanced Threat Research report shows how much thought the threat actors are putting into the attack that if successful will give the attacker the ability to execute commands on the victim's computer. This includes the ability to install additional malware.

The first incident took place on December 22 with the last known coming in on December 28. The initial email was addressed to icehockey@pyeongchang2018[.]com with several other organizations that are playing some type of support or infrastructure role in the Olympics being blind CC'd. The email was sent from an IP address in Singapore and it was spoofed to say it came from the South Korean National Counter-Terrorism Center, which at the time was running counter-terrorism drills for the Olympics.

"From a hacker's perspective, the Olympics are a perfect target. With so many people and so much technology assembled so quickly and working under onerous deadlines, the likelihood for security lapses is high,” Mark Orlando, CTO of Cyber Services for Raytheon.

Orlando added that the attack itself, is a textbook spearphishing campaign. “The hackers are targeting the people on the periphery of the games, pelting them with exactly the kinds of emails they're likely to open and hoping to get access to bigger organizations and more valuable data,” he said.

“The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant,” McAfee said.

When the recipient makes the mistake to enable the macro a PowerShell script is launched. The script then downloads and reads an image file and “carves out a hidden PowerShell implant script embedded within the image file to execute.” The steganography tool embeds the script into the images pixels which hides the malicious code.

Once completed the attacker will have an encrypted channel from the victim to the attacker's server most likely giving them the ability to execute code and install additional malware.

The McAfee research found an IP address in an Apache server log connected to a URL located in South Korea along with another that links