Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • McAfee analysts have discovered a malware campaign targeting organizations associated with the upcoming 2018 Winter Olympics.
  • The attack is particularly noteworthy because it incorporates a PowerShell script embedding tool that was less than a week old, showing attackers are moving quickly to incorporate new techniques.

Malware analysts at McAfee have discovered a fileless malware campaign targeting organizations involved in the upcoming 2018 Winter Olympics in Pyeongchang, South Korea.

The known targets are all located in South Korea and are “organizations [that have] some association with the Olympics, either in providing infrastructure or in a supporting role,” McAfee said.

This attack, like many fileless malware attacks, is relying on PowerShell to execute an in-memory attack that creates a backdoor. It’s also arriving, like many attacks, via email in malicious Word documents.

While the method may not be new, “This particular malware has not been seen before and it is something custom that was created by the attacker,” McAfee analyst Ryan Sherstobitoff told our sister site ZDNet.

That makes it a deliberate, and worrying, threat for any governmental or civilian organization involved in the 2018 Olympics.

Attacking the Olympics

While the malicious emails appeared to be coming from South Korea’s National Counter-Terrorism Center (NCTC), McAfee has discovered that the attack is actually originating in Singapore.

The message, which appears to be a warning from the NCTC, was perfectly timed to coincide with actual security testing by the organization. When opened, the email prompts users to enable content that will allow their version of Microsoft Word to read the attached document.

SEE: IT leader’s guide to the threat of fileless malware (Tech Pro Research)

When the victim clicks Enable Content, the malware launches a Visual Basic macro, which in turn executes a PowerShell script–both are typical parts of fileless malware attacks, but from there the attacker gets innovative.

The PowerShell script downloads an image file, which itself contains another embedded PowerShell script that was put there using an open source tool called Invoke-PSImage. As McAfee notes, that tool was only released on December 20, 2017, so the attacker moved quickly to integrate it into their attack, which began just two days after Invoke-PSImage’s release.

Invoke-PSImage is a steganography tool that buries PowerShell scripts in the pixels of PNG images. In this case, the script is further obfuscated using string-format operators so that it’s nearly impossible to detect once it’s extracted into the command line and used to set up a secure connection to a command and control server.

Olympic-connected, or uninvolved, businesses take note

This particular attack, McAfee said, only lasted from December 22 to 28, 2017, but it’s still early. The Olympics don’t begin for another month, which is plenty of time for the attacker to spread their efforts further.

Even if the attack has run its course, it has revealed a new weapon in the fileless malware arsenal: Invoke-PSImage.

The only way to prevent fileless malware attacks, since they don’t contain any locally installed files or programs, is to eliminate attack vectors, the largest of which are email and malicious attachments.

Users should be taught to not open an attachment, no matter what the format, from anyone they don’t recognize. Even if they do recognize the person, it’s appropriate to approach attachments with caution, especially if they seem atypical for the type of message being sent.

Caution and proactive security is the only way, for now, of stopping fileless malware attacks like these from becoming worse.

Also see