Stopping Olympic Destroyer: New Process Injection Insights
The International Olympic Committee confirmed that the 2018 opening ceremonies experienced a range of digital attacks, resulting in internet disruption and containing the capability to cause destruction. Talos quickly posted an excellent blogpost Monday that described a malware family they dubbed “Olympic Destroyer” as the culprit behind the attacks, and provided the first information about samples likely used in the attack.
Endgame rapidly analyzed the malware and ran it in the presence of the Endgame platform to confirm the effectiveness of our protections. Our customers are strongly protected in multiple ways against Olympic Destroyer, which is detailed at the end of the post. As we dug deeply into the sample, our research strongly corroborated the technical assessment presented by Talos. However, we noted one additional behavior within the shellcode injection that warrants further examination for a holistic understanding of the attack. Expanding upon the excellent work of Talos, this post describes how and why this sample leverages “notepad.exe” for shellcode injection.
Brief Overview of Olympic Destroyer
The sample in question (hash: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9) is a 32-bit binary with limited functionality and capabilities primarily associated with file operations. The detailed analysis can be found in Talos’ excellent analysis, but it is worth noting that this sample generates a substantial amount of noise and activity during execution. It leverages a multitude of tactics described in MITRE’s ATT&CK Matrix such as the file deletion technique T1107. Some of these methods have an obvious anti-forensic outcome, such as clearing event logs, while others are clearly meant to impact the operations of the victim. These actions include deleting volume shadow copies necessary for restoring a damaged hard disk volume, purging the boot configuration to prevent successful system recovery, and deleting any writable files on shares. It seems that the author(s) (Russia and North Korea are the current main suspects) of this malware family weren’t very concerned about detection. These noisy techniques have worked successfully within the domain of ransomware and unsurprisingly are very effective when ransom isn’t your objective.
Olympic Destroyer Injection into notepad.exe
During dynamic analysis, Endgame researchers observed that the initial payload was launching the native “\\system32\\notepad.exe” text editor and then allocating two memory sections. This may be because this is a non-privileged application and one with conveniently malleable memory properties. One of the memory sections contained offsets to Windows native libraries employed during execution while the other contained a copy of itself used during propagation. Figure 1 contains an image of the shellcode injected into notepad.exe.
Figure 1: 236 bytes of Shellcode injected into notepad.exe
The offsets used to interact with Windows APIs are initialized with “0xDEADBEEF”, an eight-byte string that has a long history in hexspeak and is occasionally used by researchers because it appears so obviously in crash dump output. The shellcode uses “0xDEADBEEF” as the start of the array for the windows API offsets. These offsets include Sleep, DeleteFile, ExitProcess, GetFileAttributes, CreateFile, GetFileSize, WriteFile. The shellcode reads from this memory section, which also contains the sleep interval and filename used when it successfully writes a copy of itself out. The screenshot in Figure 2 depicts the function responsible for storing the filename.
Figure 2: Windows API references
Figure 3: The control flow graph capture of the shellcode
Code injection is a method wherein malware can write to the memory of another running process, copying new code into into the other processes’ memory and executing it as that process with that process’ privileges. This allows the malware to execute stealthily in the address space of that process, often evading security products. In the case of the main executable, it gains the ability to do this by using privileges that it already found and new ones attained through lateral movement to write to notepad.exe on infected hosts. Figure 4 illustrates the control flow graph containing code injection with WriteProcessMemory.
Figure 4: Control flow graph of code injection with WriteProcessMemory
How Endgame Stops Olympic Destroyer
Endgame blocked this malware and detected its execution (if allowed to run) in a number of ways. Endgame MalwareScore® flagged the initial binary as malicious as well as a number of the executables it writes and runs with no prior knowledge of the attack. Readers with access to VirusTotal Intelligence can verify Endgame MalwareScore®’s detection by looking at the first scan in VirusTotal for the samples (one of ten engines in VirusTotal to do so with the initial binary, for example). As the screenshots below demonstrate, we further block the credential dumping portion of the malware and detect the various malicious log clearing and backup deleting actions taken by the malware as it runs.
Figure 5: Endgame Resolver™ visualization of the attack if it is allowed to run
Figure 6: Malicious file alerts associated with the malware
Figure 7: Other alerts associated with the malware’s execution (list of malware alerts truncated)
Our platform also detected the process injection behavior via our shellcode injection prevention capability. This feature was set into detect-only mode for the test. We observed the payload described above injecting into notepad.exe about 55 minutes after initial execution. Collection of the strings or full content of the injected payload are optional features in the Endgame product. See screenshots below for the process injection alert details and the base64 payload. If converted to hex, it is easy to see that the base64 exactly matches the payload described above.
Figure 8: Injection Alert Details
Figure 9: Endgame visibility into the injected thread from the process injection alert
Figure 10: Base64 of the injected code provided by the Endgame alert (truncated for space)
There was plenty of speculation regarding the risk of cyber attacks leading up to the Winter Olympics. The Olympic Destroyer attack on the opening ceremonies confirmed the heightened risk of cyber attacks, especially in light of the geopolitical landscape. As is increasingly commonplace, this attack integrates a variety of tactics such as lateral movement, process injection, and credential theft. Specifically, we find an interesting implementation of notepad.exe for process injection, enabling the detectors to evade detection. Endgame’s layered protections provide defense in depth, catching Olympic Destroyer at various stages of execution. We will continue to monitor this attack and ensure our protections remain successful against even the most sophisticated attacks.