Hackers are targeting the upcoming Winter Olympics in South Korea with a phishing and malware campaign, cyber security firm McAfee researchers have found.
In a blog post, McAfee Advanced Threat Research analysts Ryan Sherstobitoff and Jessica Saavedra-Morales discovered a campaign targeting organisations involved with the Pyeongchang Olympics scheduled from February 9-25.
“Attached in an email was a malicious Microsoft Word document with the original file name ‘Organised by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics’,” the duo said late on Sunday.
Email addresses associated with ice hockey at the Winter Olympics were among those targeted by attackers.
“The primary target of the email was firstname.lastname@example.org, with several organisations in South Korea on the BCC line. The majority of these organisations had some association with the Olympics, either in providing infrastructure or in a supporting role. The attackers appear to be casting a wide net with this campaign,” they added.
The campaign to target Pyeongchang Olympics began December 22 last year.
The attackers originally embedded an implant into the malicious document as a hypertext application (HTA) file, and then quickly moved to hide it in an image on a remote server and used obfuscated Visual Basic macros to launch the decoder script.
“They also wrote custom PowerShell code to decode the hidden image and reveal the implant,” the researchers added.
If opened, the document tells the user they must click to enable content.
Based on their analysis, the team said this implant establishes an encrypted channel to the attacker’s server, likely giving the attacker the ability to execute commands on the victim’s machine and to install additional malware.
“With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes. In similar past cases, the victims were targeted for their passwords and financial information,” McAfee noted.
The Advanced Threat Research team has discovered an increase in the use of “weaponised Word documents against South Korean targets in place of the traditional use of weaponised documents exploiting vulnerabilities in the ‘Hangul’ word processor software”, the company added.