Olympic Destroyer malware targeted Pyeongchang Games

  • Malware.exe
    • %Userprofile%\windows\AppData\Local\Temp\_ail.exe
    • %Userprofile%\windows\AppData\Local\Temp\_cqk.exe
    • %Userprofile%\windows\AppData\Local\Temp\_lew.exe
    • %Userprofile%\windows\AppData\Local\Temp\mbxve.exe
    • %Userprofile%\Public\19D132B60A21D68CFAC81B1BD252C965

Once the computer is compromised, the Malware runs the following commands:

The Malware overwrites the computer’s partition table to avoid targets to
recover their system drive, thereby making the infected machine unusable:

The malware deletes all shadow copies on the system using vssadmin tool:

The malware deletes all Web admin backup files on the target system:

The malware wipes all available logs of the System Security windows event log to ensure that recovery
is extremely difficult:

The Malware drops two VBS files on the target system and execute it via
VBScript tool:

The credentials embedded in the malware sample indicate that the Olympics
IT providers was likely compromised by the same hackers that ultimately hit
the Winter Olympics. It remains unclear how hackers were able to steal so
much information from Olympics employees, Here are some examples of
embedded credentials:

After this Malware runs the above commands its deletes itself using
injected shellcode in a legitimate copy of notepad.exe, the malware writes
shellcode in the allocated memory through WriteProcessMemory and it creates
a remote thread for its execution via CreateRemoteThread function. The
injected notpad.exe waits until the sample terminates, and then deletes it.

Sonicwall Capture Labs provides protection against this threat via the
following signature:

  • GAV: OlympicDestroyer.A (Trojan)



The SonicWall Capture Labs Threat Research Team observed new malware
Called OlympicDestroyer [OlympicDestroyer.A].The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers
offline by deleting critical system files, which would render the machines
useless. This Malware was used in an attack on the opening ceremony of the
Pyeongchang Winter Games.Infection Cycle:The Malware adds the following files to the system:

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.