Threat Intelligence ReportEclecticIQ Fusion Center Report: Olympic Destroyer - Various Firms Attempt to Attribute (English)
Talos reported about Malware: Olympic Destroyer samples. Researchers noted that of the analyzedsamples, it appeared to perform only destructive functionality. From previous attacks, inclusion of destructive capabilities may add additional meaning, in terms of targeting, campaign goals, and attribution.
Report from EclecticIQ Fusion Center from Thursday 15 February 2018.
- In addition to dropping a browser stealer, Olympic Destroyer also drops and executes a system stealer
- The system stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz
- The Olympic Destroyer author(s) used wbadmin.exe to delete shadow volume copies, which is standard for ransomware to make sure users cannot restore encrypted files
- Olympic Destroyer and Malware: NotPetya, unlike Malware: WannaCry , spread via remote WMI and PsExec
- Researchers claim to have identified numerous small code fragments scattered throughout different samples of the malware in these attacks that are linked to Chinese APT groups
- The malware compromised the main IT service provider for the Winter Olympic Games, Atos, which is also suspected to have previously been compromised in December 2017