McAfee Labs warns of targeted attacks circulating in-the-wild, using the theme of 2018 Winter Olympics

McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.  The campaign to target Pyeongchang Olympics began December 22, 2017 with the most recent activity appearing December 28. The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script. They also wrote custom PowerShell code to decode the hidden image and reveal the implant.

With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information. In this case the adversary is targeting the organizations involved in the Winter Olympics by using several techniques to make it more tempting to open the weaponized document:

*** Spoofed email address from South Korea’s National Counter-Terrorism Council
*** Use of Korean language
*** Asking users to open the content because the document is in protected mode
*** Partial use of the original South Korean Ministry of Agriculture and Forestry domain in a registered fake domain for malicious intent