Attackers Target Winter Olympics by Weaponized Word Doc[infosecurity-magazine]

Security researchers have uncovered a sophisticated phishing campaign targeting organizations involved in the Pyeongchang Olympics with a weaponized Word doc, and using a range of obfuscation techniques to fly under the radar.

The malicious document is written in fluent Korean and named “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”, according to McAfee.

It was aimed at a number of organizations providing infrastructure and support for the games, and was spoofed to appear to come from South Korea’s National Counter-Terrorism Center (NCTC), when in fact the IP address is in Singapore.

When the user clicks “Enable Content” in the doc, it launches a hidden PowerShell script.

“The attackers used the open-source tool Invoke-PSImage, released December 20, to embed the PowerShell script into [an] image file. The steganography tool works by embedding the bytes of a script into the pixels of the image file, giving the attacker the ability to hide malicious PowerShell code in a visible image on a remote server,” explained McAfee researchers Ryan Sherstobitoff and Jessica Saavedra-Morale.

“The attacker’s objective is to make analysis difficult and to evade detection technologies that rely on pattern matching. Because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly.”

The attackers used the implant to establish an encrypted channel to a remote server, allowing them to execute commands on the victim’s machine and potentially download additional malware.

For more, click here.