Olympic Destroyer Blocked by enSilo
According to the BBC, on February 12, 2018, the International Olympic committee was under a cyber-attack. This cyber-attack, had begun right before the opening ceremony of the games in Pyeongchang South Korea and occurred for approximately 12 hours. In this cyber-attack the Olympics website was taken down along with several non-critical systems. In addition, the Internet at some of the games was also taken down. Since then there has been some speculations about the origination of this attack. Some news agencies such as Sky News and Wired (among many others) has gone as far as suggesting that this cyber-attack has likely occurred by a Russian state-sponsored agency as a retaliation for banning many Russian athletes from the Olympic games as a result of doping scandal back in 2014.
Cisco Talos was the first entity to establish a technical report associated with this cyber-attack. In their report, the researchers at Cisco described the malware as the “Olympic Destroyer” malware. Cisco’s analysis suggested that once this malware executed on the system, it then attempted to destroy files, wipe shadow copies and Windows event log records. In addition, this malware dropped additional variants that performed other destructive operations and also used tools such as Psexec and WMI commands to move within the environment.
Since this malware performs multiple destructive operations, we decided to take a closer look and analyze this malware. We also ran this malware through our enSilo post infection protection platform. The malware analysis and execution results were very clear and the outcome of executing this malware on a system protected by our technology was exactly as we predicted. The analysis of this malware and the results of executing it through our platform is described in the following sections.
Since Cisco did such a great job describing the malware, this section will focus on the process execution chain that occurs post the execution of the “Olympic Destroyer” malware without getting into too many deep analysis details. The Olympic Destroyer binary file was executed in an environment which only monitored the execution chain purposely without blocking it. Our goal here was to learn what is happening in each stage of this cyber-attack chain from parent-child process chain perspective. It is important to note that enSilo’s post execution prevention platform completely blocks this malware in the initial execution stage as you will see in the blocking the threat chain section.
As mentioned, this Olympic Destroyer received its name due to the destructive operation that occurs after its execution. Figure 1 (this figure and all other figures were taken from an enSilo’s post protection platform) shows the execution of this malware by the victim:
Figure 1: Olympic Destroyer
File Hash: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9
File Size: 1861632 bytes
Compile Time: 2017-12-27 11:44:47
The winlong.exe file is the Olympic Destroyer binary file. This file is responsible for dropping other malware variants into the %temp% folder associated with the affected user. Each filename is named using a random character string like the following <random character string>.exe. The dropped binary files are:
1) Browser password dumper
2) System Credential Stealer
3) Destructors to perform all sorts of deletion operations on the affected system
4) Psexec Tool
Browser Password Dumper
Figure 2: Browser Password Dumper
File Hash: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea
File Size: 769536 bytes
Compile Time: 2017-12-27 11:44:30
This binary file attempts to parse the databases associated with Internet browsers (i.e. Internet Explorer, Chrome, Firefox and so on) and retrieves stored credentials. In addition, it parses the registry.
System Credential Stealer
Figure 3: System Credential Stealer
File Hash: f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936
File Size: 284160 bytes
Compile Time: 2017-12-27 11:44:35
This binary file attempts to steal system credentials from Windows Local Security Authority Subsystem Service (LSASS) in a technique similar to the one used by Mimikatz.
Figure 4: Destructor
File Hash: ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
File Size: 36864 bytes
Compile Time: 2017-12-27 09:03:48
This binary file attempts to spawn a cmd.exe process (CMD shell) and then execute wbadmin.exe and vssadmin.exe to perform deletion operation for locally stored backups. Figure 5 shows an example of this operation:
Figure 5: Local Backup Access Attempt
In addition, this binary file also executes bcdedit.exe to modify the Windows Operating System (OS) boot process as shown in figure 6:
Figure 6: Boot Manager Manipulation Attempt
Figure 7 shows the sequence of commands that this destructor performs with its execution on the affected system:
Figure 7: Sequence of command line tools execution
The wevutil.exe tool is used to delete Windows event log records while the vssadmin.exe tool is used to delete all shadow copies from the affected system.
As mentioned, the Olympic Destroyer also performs two shellcode injections into a legitimate notepad.exe process. The purpose of these two injections is to use the notepad.exe process to delete the Olympic Destroyer from the affected system after it completes to perform its operation. This process is done by overwriting the Olympic Destroyer file content with a bunch of zeros and then deleting itself from the affected system. Figure 8 shows the process in which the Olympic Destroyer creates a new notepad.exe process:
Figure 8: Notepad.exe Process Creation
Figure 9 shows the first injected buffer operation into notepad.exe using the WriteProcessMemory Windows API:
Figure 9: First Shellcode Injection
Figure 10 shows the metadata that is injected into notepad.exe:
Figure 10: Injected Metadata
As shown above, the values that are injected to notepad are kernel32 Windows API functions, the filename of the Olympic Destroyer itself, the location of this file and the sleep argument 1388h. Figure 11 shows the protection change and the thread creation:
Figure 11: Second Shellcode Injection method
Finally, figure 12 shows the shellcode that is injected into the notepad.exe process:
Figure 12: Shellcode Section
As mentioned, the second shellcode injection is responsible for running an operation inside the notepad process that overwrites zeros into the Olympic Destroyer binary file and then it deletes this file from the affected system.
Blocking the Threat Chain
enSilo’s post infection protection platform blocks the Olympic Destroyer binary file during the initial execution process and by that stops to threat chain from occurring any further. Figure 13 emphasizes that process:
Figure 13: Blocking the Threat Chain
Our platform plays an integral part in blocking threats like this in their initial stage before they have any chance to perform any activities that can cause further damage.
First and foremost, our malware analysis revealed that the malware deletes itself from the system post an infection using a shellcode injection technique. In fact, the analysis of this malware suggests that the malware performed a shellcode injection into the legitimate Windows notepad.exe process in two different addresses. Finally, our post infection platform effectively intercepted and blocked this malware from performing malicious operation very early in the execution stage.