SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Olympic Destroyer malware targeted Pyeongchang Games (Feb 23, 2018)


The SonicWall Capture Labs Threat Research Team observed new malware Called OlympicDestroyer [OlympicDestroyer.A].

The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless. This Malware was used in an attack on the opening ceremony of the Pyeongchang Winter Games.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%\windows\AppData\Local\Temp\_ail.exe

    • %Userprofile%\windows\AppData\Local\Temp\_cqk.exe

    • %Userprofile%\windows\AppData\Local\Temp\_lew.exe

    • %Userprofile%\windows\AppData\Local\Temp\mbxve.exe

    • %Userprofile%\Public\19D132B60A21D68CFAC81B1BD252C965

Once the computer is compromised, the Malware runs the following commands:

The Malware overwrites the computer's partition table to avoid targets to recover their system drive, thereby making the infected machine unusable:

The malware deletes all shadow copies on the system using vssadmin tool:

The malware deletes all Web admin backup files on the target system:

The malware wipes all available logs of the System Security windows event log to ensure that recovery is extremely difficult:

The Malware drops two VBS files on the target system and execute it via VBScript tool:

The credentials embedded in the malware sample indicate that the Olympics IT providers was likely compromised by the same hackers that ultimately hit the Winter Olympics. It remains unclear how hackers were able to steal so much information from Olympics employees, Here are some examples of embedded credentials:

After this Malware runs the above commands its deletes itself using injected shellcode in a legitimate copy of notepad.exe, the malware writes shellcode in the allocated memory through WriteProcessMemory and it creates a remote thread for its execution via CreateRemoteThread function. The injected notpad.exe waits until the sample terminates, and then deletes it.

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: OlympicDestroyer.A (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.13 | S2MSW03