McAfee has discovered malware that serves as the second-stage payload in a phishing campaign targeting organizations that are involved with the 2018 Winter Olympics.
In a post published Friday, McAfee’s Advanced Threat Research team details the discovery and analysis of implants that surface on phishing targets’ systems once an initial PowerShell backdoor is installed. The report is an update on a previously discovered phishing campaign that aimed to establish backdoors when a victim opens a Microsoft Word document attachment.
McAfee is calling the implants GoldDragon, Brave Prince, Ghost419 and RunningRat. The company says that once the initial backdoor is installed, these new implants establish a permanent presence that siphons information from the victim’s computer.
The Gold Dragon implant allows for the downloading of subsequent malware payloads. Brave Prince and Ghost419 can collect content from the victim’s hard drive as well as detailed information about the computer. RunningRat is a remote access trojan (RAT) that is supposed to be able to collect keystrokes and clipboard information, delete and compress files, clear event logs, shut down the machine “and much more” according to McAfee. However, the researchers say there may not be a way a for RunningRat’s code to be executed.
The implants give attackers manual access to “any information they desire,” Ryan Sherstobitoff, senior analyst with McAfee Advanced Threat Research told CyberScoop in an email.
“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” Sherstobitoff and co-author Jessica Saavedra-Morales said in their report.
The previously reported backdoor is installed using code that’s embedded in the pixels of a hidden image file. The attack is delivered via a Microsoft Word document that appears to be from the South Korea National Counter-Terrorism Center. McAfee said in its earlier research that the document was emailed to several organizations in South Korea with some association to the Olympics. The primary address was “firstname.lastname@example.org” with other groups on the BCC line.
Sherstobitoff previously told CyberScoop that the phishing campaign previously reported is likely being carried out by an organization rather than a sole person. He now says it’s still not clear who the organization is.
“Attribution is difficult, and technical analysis alone does not provide enough data to definitively say what group is behind an attack. Government and law enforcement agencies have resources the private sector does not, thus are in unique positions to make attribution assessments with confidence,” Sherstobitoff said.
Cybersecurity is shaping up to be as an issue to be reckoned with when it comes to the Olympics. Russian hacking group Fancy Bear, or APT28, claimed to release emails and documents belonging to the International Luge Federation last month. The group also appears to be gearing up for other attacks surrounding the Olympics. On Thursday, the U.S. Computer Emergency Readiness Team issued an alert reminding Americans traveling to Pyeongchang to be vigilant about the security of their devices and personally identifiable information.