Dissecting Olympic Destroyer Malware

Pyeongchang Winter Olympics that took place in South Korea was disrupted by cyber attack, which took down most of the systems including ticketing, WI-FI devices, televisions, and media rooms in the stadium during the opening ceremony.

It was identified to be wiper malware named “Olympic Destroyer” that was built with focus on taking down the systems and wiping out the data. “Olympic Destroyer” is weaponized to delete/wipe out all the files, shadow copies and event logs making the system unusable even for recovery.

Similar to Not-Petya and BadRabbit that were surfaced in 2017, “Olympic Destroyer” uses windows features Psexec and WMI for lateral moments and named-pipes as a channel for communication between itself for execution.

Last week one of our sensors has collected the sample and this post is an overview of the analysis been made by BluSapphire.

 

ANALYZED SAMPLE:

MD5 Hash: cfdd16225e67471f5ef54cab9b3a5558

 

Behavioral analysis:

 To make it almost impossible to recover or repair, attacker has used windows "bcdedit.exe" utility, which is used for  managing Boot Configuration Data (BCD)

To make it almost impossible to recover or repair, attacker has used windows "bcdedit.exe" utility, which is used for managing Boot Configuration Data (BCD)

 In order to to cover their tracks, attacker used windows utility " wevtutil.exe " for deleting Security and System windows event log.

In order to to cover their tracks, attacker used windows utility "wevtutil.exe" for deleting Security and System windows event log.

 During the execution, the sample drops two different files in "%temp%" directory that were used during lateral moment and uses named-pipes as a channel for communication for propagation around the network.

During the execution, the sample drops two different files in "%temp%" directory that were used during lateral moment and uses named-pipes as a channel for communication for propagation around the network.

 With an intension of wiping out all the data, attacker has used "vssadmin.exe" to delete all the available shadow copies make it difficult for recovery.

With an intension of wiping out all the data, attacker has used "vssadmin.exe" to delete all the available shadow copies make it difficult for recovery.