Recently, a Japanese security firm said it discovered an Olympic-themed malware sample that included the ability to wipe all files on an infected system and appeared to target Japanese PCs.
olympic games practice field
Recently, a Japanese security firm said it discovered an Olympic-themed malware sample that included the ability to wipe all files on an infected system and appeared to target Japanese PCs.
The eraser was discovered last Wednesday (July 21), two days before the opening ceremony of the 2021 Tokyo Olympics.
According to the analysis of Japanese security company Mitsui Bussan Secure Directions (hereinafter referred to as MBSD), the wiper does not just delete all data in the computer, but only searches for files located in the user’s personal folder (“C:/Users//”). certain file types.
The deletion targets include Microsoft Office files, as well as common storage log, database and password information files such as TXT, LOG and CSV.
Additionally, the eraser targets files created with the Ichitaro Japanese word processor (extensions in bold below). This led the MBSD team to believe that the wiper was created specifically for computers in Japan, which usually have the Ichitaro app installed.
Affected extensions:
DOTM, DOTX, PDF, CSV, XLS, XLSX, XLSM, PPT, PPTX, PPTM, JTDC, JTTC, JTD, JTT, TXT, EXE, LOG
File Erase Operation
Other features of the wiper include extensive anti-analysis and anti-VM detection technologies to prevent malware from being easily discovered and analyzed, as well as automatic removal of malware after the operation is complete.
Disguised as adult video traffic
Its most interesting feature, however, is that the wiper also uses the cURL app to access pages on the XVideos adult video site when the wipe occurs.
Malware that visits porn site URLs
The MBSD team believes that the feature was added to fool forensic investigators into thinking the wipe was caused by malware infection while users were visiting porn sites.
However, the MBSD team stated that the wiper was found in Windows EXE files, and the filenames were deliberately spoofed as common PDFs:[紧急]Violation reports such as cyber attacks related to the Tokyo Olympics ([Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe)
MBSD researchers Takashi Yoshikawa and Kei Sugawara wrote in the report,
“Because the malware uses a PDF icon for disguise and only targets data under the Users folder, it can be concluded that the malware is designed to infect users who do not have administrator rights.”
At present, researchers have discovered two samples of this malware sample, which have been uploaded to VirusTotal.
FBI warns of possible cyberattack against Olympics
Security personnel discovered the wiper just a day after the FBI alerted the private industry that “threats identified may be targeting this year’s Tokyo Olympics.”
In fact, attacks on the Olympics are nothing new. There have been hacking incidents during the past two Olympics.
APT28 (aka Fancy Bear) hacked the World Anti-Doping Agency (WADA) in August 2016 and leaked US and European athletes Confidential medical data.
After the ban was extended to the 2018 PyeongChang Winter Olympics, Russian hackers deployed “Olympic Destroyer” wipers during the opening ceremony in an attempt to cripple the Olympic organizers’ internal networks.
During the Tokyo Olympics, the ban on Russian athletes is still in effect. Therefore, it is not known whether this time is also a “retaliation” by Russian hackers.
The Links: CLAA170EA08Q B141XG08-V3
