Olympic Destroyer Data-Wiping Malware Is More Complex Than Previously Thought (mutates on each PC)

[LASER_oneXM]

The Olympic Destroyer malware that has caused damage to PyeongChang 2018 Winter Olympics computer networks is much more complex than previously thought.

Discovered by Cisco Talos researchers, this malware has been deployed before the start of the Olympics and has caused downtime to internal WiFi and television systems, disrupting some operations during the games' opening ceremony.

Cisco published an initial analysis (now updated) of this threat yesterday, revealing that Olympic Destroyer was capable of mangling a computer's data recovery procedures and deleting crucial Windows services, rendering Windows computers unable to boot.

Because Olympic Destroyer was still a new threat, the original analysis was amended today with new information. Three new major pieces of information came to light today.

1. Olympic Destroyer is a data wiper
The biggest update relates to the discovery of a data-wiping mechanism that attempts to delete files on network shares.

"[T]he malware lists mapped file shares and for each share, it will wipe the writable files (using either uninitialized data or 0x00 depending of the file size)," an update to the original Cisco Talos analysis reveals.

While this data-wiping behavior may not delete crucial files needed for an operating system to function, it does delete files shared on network drives, files that are obviously important enough to be shared among Olympic staffers, hence hindering some operations.

2. Olympic Destroyer mutates on each computer

But while the discovery of a data wiping mechanism is something to take note, there is another mechanism far more interesting included in the malware's code.


According to Cisco researcher, Olympic Destroyer uses a self-patching mechanism that allows it to mutate and evolve from each infected host to another.

The initial analysis published yesterday said that Olympic Destroyer dropped two credential stealers (for browser and system passwords) on each infected host, and then used these stolen credentials along with a list of hardcoded usernames and passwords to move laterally across an infected network.

3. Olympic Destroyer spread using EternalRomance exploit
But this binary mutation behavior does not explain how Olympic Destroyer arrived on some of the infected networks. This is where the third and last of today's updates came in to shed some light, courtesy of Microsoft.

According to the Windows Defender team, Olympic Destroyer appears to have been deployed via one of the NSA exploits leaked by the Shadow Brokers last year —namely EternalRomance.

 

[plat1098]

There is speculation that "Russian petulance" due to partial ban is responsible, but as usual--speculation.

Source: 'Olympic Destroyer' Malware Hit Pyeongchang Ahead of Opening Ceremony