Olympic Destroyer Data-Wiping Malware Is More Complex Than Previously Thought

Olympic Destroyer malware logo

The Olympic Destroyer malware that has caused damage to PyeongChang 2018 Winter Olympics computer networks is much more complex than previously thought.

Discovered by Cisco Talos researchers, this malware has been deployed before the start of the Olympics and has caused downtime to internal WiFi and television systems, disrupting some operations during the games’ opening ceremony.

Cisco published an initial analysis (now updated) of this threat yesterday, revealing that Olympic Destroyer was capable of mangling a computer’s data recovery procedures and deleting crucial Windows services, rendering Windows computers unable to boot.

Because Olympic Destroyer was still a new threat, the original analysis was amended today with new information. Three new major pieces of information came to light today.

1. Olympic Destroyer is a data wiper

The biggest update relates to the discovery of a data-wiping mechanism that does attempt to delete files on network shares.

“[T]he malware lists mapped file shares and for each share, it will wipe the writable files (using either uninitialized data or 0×00 depending of the file size),” an update to the original Cisco Talos analysis reveals.

While this data-wiping behavior may not delete crucial files needed for an operating system to function, it does delete files shared on network drives, files that are obviously important enough to be shared among Olympic staffers, hence hindering some operations.

2. Olympic Destroyer mutates on each computer, patches itself

But while the discovery of a data wiping mechanism is something to take note, there is another mechanism far more interesting included in the malware’s source code.

According to Cisco researcher, Olympic Destroyer uses a self-patching mechanism that allows it to mutate and evolve from each infected host to another.

The initial analysis published yesterday said that Olympic Destroyer dropped two credential stealers (for browser and system passwords) on each infected host, and then used these stolen credentials along with a list of hardcoded usernames and passwords to move laterally across an infected network.

Today, Cisco researchers said they were wrong about this initial assessment after discovering Olympic Destroyer samples with different lists of hardcoded credentials.

A closer look at the malware’s behavior revealed that Olympic Destroyer takes the list of credentials found on the local computer and generates a new binary for itself, which is then dropped on other computers on the same network.

The malware adds these new credentials stolen from the current PC to its list of hardcoded credentials.

This self-mutating behavior allows Olympic Destroyer to gather more and more credentials as it spreads through a local nework, updating its binary on the fly.

“I have not seen a malware sample modify itself to include harvested creds before and I’ve been doing this stuff for longer than I should admit,” Craig Williams, one of the Cisco Talos researchers, said today on Twitter.

“Polymorphic malware isn’t a new idea by itself, but I have never seen any examples of malware modifying itself to include harvested credentials,” added Jaeson Schultz, fellow Cisco Talos researcher.

3. Olympic Destroyer spread using EternalRomance exploit

But this binary mutation behavior does not explain how Olympic Destroyer arrived on some of the infected networks. This is where the third and last of today’s updates came in to shed some light, courtesy of Microsoft.

According to the Windows Defender team, Olympic Destroyer appears to have been deployed via one of the NSA exploits leaked by the Shadow Brokers last year —namely EternalRomance.

EternalRomance is one of the two NSA exploits —together with EternalBlue— that have been used by the NotPetya and Bad Rabbit ransomware strains, two of 2017 three major ransomware outbreaks.

While Olympic Destroyer was most likely created weeks if not months ago, it is only five-days-old for security researchers.

Infosec experts are going to continue to dig through the Olympic Destroyer code in the coming days, and readers shouldn’t be surprised if researchers amend the original analysis with new information a few times more.

But while some of the malware’s mechanics are still murky, what it is sure at the moment is that Olympic Destroyer was not created for cyber-espionage or data exfiltration. The malware’s sole and only purpose appears to have been destruction, an opinion shared by almost all security researchers who spoke on the matter.

Read more here

What do you think of this post?
  • Awesome (0)
  • Interesting (0)
  • Useful (0)
  • Boring (0)
  • Sucks (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>