Olympic Destroyer, the wiper malware that briefly disrupted the Winter Olympic Games in South Korea earlier this year, appears to be back with a new first-stage dropper variant. It contains a few significant changes that indicate an evolution for the APT group behind it, according to researchers.
Despite its name, Olympic Destroyer has targeted victims beyond the Games since February. In all of those cases, the APT group behind the malware typically uses spear-phishing emails with attached documents containing malicious macros as its initial threat vector. The macros’ complexity has increased over time, according to Check Point researchers, with new versions appearing every month or so in an effort to remain under the radar. In October however, something changed.
“The string-encoding methods, as well as other common indicators which we will list afterwards, clearly show that at the very least, most documents were created by one threat actor, with the same set of obfuscation tools that evolved on a monthly basis,” Check Point researchers pointed out in a recent posting. “The latest sample we discovered shows a deviation from the normal evolutionary path that Hades’ macros usually take and represent a whole new variant.”
More specifically, the sample introduces new features like anti-analysis and delayed execution, which were only used by the second-stage wiper payload in the past, the team noted. This shows that the group has changed up its infection flow.
The group’s doc files and macro obfuscators have unique characteristics that can be used to distinguish them from other droppers. For instance, most droppers include one of the three document author names: James, John or AV. These “fingerprints” are important for researchers tracking the group, because they’re so few and far between, analysts said. Between a lack of distinguishing characteristics and the numerous false flags built into the code, Kaspersky Lab has called efforts to identify the group “attribution hell” — an assessment that has evolved into dubbing the group “Hades” as a catch-all.
“Hades is known to utilize publicly available tools for reconnaissance and post-exploitation,” the Check Point researchers noted. “This makes analysis and detection of the first stage of the attack even more important as it becomes one of the only ways to distinguish this group’s operations from others’ and to track their activity worldwide.”
In the latest campaign, the user is first presented with a blank page, Check Point said. “Once activated, the macros change the white text to black, and the content is revealed,” researchers explained. “The text of the document was taken from a legitimate document, available online.”
The macro itself then performs sandbox evasion; it retrieves a list of running processes, which are then compared against those used by popular analysis tools; and, it counts how many running processes there are in total.
“This process count is effective against sandboxes and analysis environments where there are usually a few processes running,” the analysts added.
Previously, these efforts took place within the PowerShell stage of the old variant, Check Point said.
The latest dropper also writes a decoded HTA file to the computer’s disk and schedules it to be executed in the morning hours. The HTA file utilizes VBScript to decode the next-stage command line, with the same techniques and decoders from the macro stage.
In addition to the first-stage changes that they uncovered, Check Point researchers also discovered new intel about Hades’ droppers’ use of compromised servers as a second-stage command-and-control (C2).
“Though not much is known about Hades’ infrastructure, some droppers which contacted their C2 exposed some server errors,” the team said. “Those errors indicate that compromised servers only act as a proxy, and the requests were in fact redirected to another server, which hosted the Empire back-end.”
Overall, the changes indicate that the group continues to innovate in order to avoid detection and attribution; the group famously planted false flags during the Olympics attacks to avoid being uncovered; the latest dropper continues its quest to avoid the spotlight.
“Hades shows no signs of slowing down their operation, as their capabilities are growing alongside their victims list,” Check Point researchers said.