Olympic Destroyer Blocked by enSilo

According to the BBC, on February 12, 2018, the International Olympic committee was under a cyber-attack. This cyber-attack, had begun right before the opening ceremony of the games in Pyeongchang South Korea and occurred for approximately 12 hours. In this cyber-attack the Olympics website was taken down along with several non-critical systems. In addition, the Internet at some of the games was also taken down. Since then there has been some speculations about the origination of this attack. Some news agencies such as Sky News and Wired (among many others) has gone as far as suggesting that this cyber-attack has likely occurred by a Russian state-sponsored agency as a retaliation for banning many Russian athletes from the Olympic games as a result of doping scandal back in 2014.

 Cisco Talos was the first entity to establish a technical report associated with this cyber-attack. In their report, the researchers at Cisco described the malware as the “Olympic Destroyer” malware. Cisco’s analysis suggested that once this malware executed on the system, it then attempted to destroy files, wipe shadow copies and Windows event log records. In addition, this malware dropped additional variants that performed other destructive operations and also used tools such as Psexec and WMI commands to move within the environment.

Since this malware performs multiple destructive operations, we decided to take a closer look and analyze this malware. We also ran this malware through our enSilo post infection protection platform. The malware analysis and execution results were very clear and the outcome of executing this malware on a system protected by our technology was exactly as we predicted.  The analysis of this malware and the results of executing it through our platform is described in the following sections.

MALWARE ANALYSIS

Since Cisco did such a great job describing the malware, this section will focus on the process execution chain that occurs post the execution of the “Olympic Destroyer” malware without getting into too many deep analysis details. The Olympic Destroyer binary file was executed in an environment which only monitored the execution chain purposely without blocking it. Our goal here was to learn what is happening in each stage of this cyber-attack chain from parent-child process chain perspective. It is important to note that enSilo’s post execution prevention platform completely blocks this malware in the initial execution stage as you will see in the blocking the threat chain section.

Olympic Destroyer

As mentioned, this Olympic Destroyer received its name due to the destructive operation that occurs after its execution. Figure 1 (this figure and all other figures were taken from an enSilo’s post protection platform) shows the execution of this malware by the victim:

Figure 1.pngFigure 1: Olympic Destroyer

File Characteristics

Filename: winlogon.exe
File Hash: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
File Size: 1861632 bytes 
Compile Time: 2017-12-27 11:44:47

The winlong.exe file is the Olympic Destroyer binary file. This file is responsible for dropping other malware variants into the %temp% folder associated with the affected user. Each filename is named using a random character string like the following <random character string>.exe. The dropped binary files are:

1) Browser password dumper
2) System Credential Stealer
3) Destructors to perform all sorts of deletion operations on the affected system
4) Psexec Tool

Browser Password Dumper

Figure 2.pngFigure 2: Browser Password Dumper

File Characteristics

Filename: ieccr.exe
File Hash: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
File Size: 769536 bytes 
Compile Time: 2017-12-27 11:44:30
This binary file attempts to parse the databases associated with Internet browsers (i.e. Internet Explorer, Chrome, Firefox and so on) and retrieves stored credentials. In addition, it parses the registry.

System Credential Stealer

 

Figure 3.png                                                    Figure 3: System Credential Stealer

File Characteristics

Filename: trcvw.exe
File Hash: f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
File Size: 284160 bytes 
Compile Time: 2017-12-27 11:44:35

This binary file attempts to steal system credentials from Windows Local Security Authority Subsystem Service (LSASS) in a technique similar to the one used by Mimikatz.

Destructor

Figure 4.png

Figure 4: Destructor

File Characteristics

Filename:     _wlb.exe
File Hash:    ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
File Size:    36864 bytes 
Compile Time: 2017-12-27 09:03:48

 This binary file attempts to spawn a cmd.exe process (CMD shell) and then execute wbadmin.exe and vssadmin.exe to perform deletion operation for locally stored backups. Figure 5 shows an example of this operation:

Figure 5.png

Figure 5: Local Backup Access Attempt  

In addition, this binary file also executes bcdedit.exe to modify the Windows Operating System (OS) boot process as shown in figure 6:

Figure 6.png

Figure 6: Boot Manager Manipulation Attempt

Figure 7 shows the sequence of commands that this destructor performs with its execution on the affected system:

Figure 7.png

Figure 7: Sequence of command line tools execution

The wevutil.exe tool is used to delete Windows event log records while the vssadmin.exe tool is used to delete all shadow copies from the affected system.

Shellcode Injection


As mentioned, the Olympic Destroyer also performs two shellcode injections into a legitimate notepad.exe process. The purpose of these two injections is to use the notepad.exe process to delete the Olympic Destroyer from the affected system after it completes to perform its operation. This process is done by overwriting the Olympic Destroyer file content with a bunch of zeros and then deleting itself from the affected system. Figure 8 shows the process in which the Olympic Destroyer creates a new notepad.exe process:

Figure 8.png

Figure 8: Notepad.exe Process Creation

Figure 9 shows the first injected buffer operation into notepad.exe using the WriteProcessMemory Windows API:

Figure 9.png

Figure 9: First Shellcode Injection

Figure 10 shows the metadata that is injected into notepad.exe:

Figure 10.png

Figure 10: Injected Metadata

As shown above, the values that are injected to notepad are kernel32 Windows API functions, the filename of the Olympic Destroyer itself, the location of this file and the sleep argument 1388h. Figure 11 shows the protection change and the thread creation:

Figure 11.png

Figure 11: Second Shellcode Injection method

Finally, figure 12 shows the shellcode that is injected into the notepad.exe process:

Figure 12.pngFigure 12: Shellcode Section

As mentioned, the second shellcode injection is responsible for running an operation inside the notepad process that overwrites zeros into the Olympic Destroyer binary file and then it deletes this file from the affected system.

Blocking the Threat Chain

enSilo’s post infection protection platform blocks the Olympic Destroyer binary file during the initial execution process and by that stops to threat chain from occurring any further. Figure 13 emphasizes that process:

Figure 13.png

Figure 13: Blocking the Threat Chain

 
Our platform plays an integral part in blocking threats like this in their initial stage before they have any chance to perform any activities that can cause further damage.  

First and foremost, our malware analysis revealed that the malware deletes itself from the system post an infection using a shellcode injection technique. In fact, the analysis of this malware suggests that the malware performed a shellcode injection into the legitimate Windows notepad.exe process in two different addresses. Finally, our post infection platform effectively intercepted and blocked this malware from performing malicious operation very early in the execution stage. 

 

 

Related Blog Posts

How To Handle The Increase In Powershell Attacks ? one

enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

Customers Say It Best - Managed Security Service Provider one

enSilo Corporate and Product

 

Retailers, restaurants, hoteliers, and small businesses are having problems discovering breaches on their POS systems. Delayed detection of a.

Read More

5 Ways to Tackle Ransomware Attacks One

enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More

enSilo Blocks New Variant of Adwind RAT one

enSilo Corporate and Product

“Nearly 98% of all recorded point of sale (POS) attacks resulting in a confirmed data breach”. Verizon Data Breach Investigations

PROBLEM:

.

Read More