The Olympics have been a regular target for hacking, including the famous Olympic Destroyer worm from 2018. Cyber criminals are again using the 2021 Tokyo Summer Olympics as a social engineering lure for a malware attack likely aimed at Japanese users. Fortinet researchers described a sample of destructive wiper malware which has a filename made up of Japanese Kanji characters, translating to “[Urgent] About the damage report about the occurrence of cyber-attacks, attacks, etc. accompanying the Tokyo Olympics .exe”. This attack has rudimentary features and is likely not the work of an APT group or a nation state.

What Is It?

Despite the delay, the Tokyo Summer Olympics have captured the attention of a large portion of the world, inevitably, this includes cyber criminals. Any high-profile event or issue is guaranteed to be utilized in some form of social engineering as part of an attack. Fortinet researchers recently described a sample of destructive wiper malware which uses the Olympics as a lure and appears it may be targeted at Japanese users.

The Olympic games are no stranger to cyber-attacks, with the 2018 Winter Olympic games, hosted in South Korea, subjected to a cyber-attack during the opening ceremony. This attack, known as Olympic Destroyer, was a destructive wiper malware attack, which temporarily took down various parts of the Olympic games IT infrastructure. The malware described by Fortinet is also destructive wiper malware, however, when analyzed by the BluVector Threat Team, was found to be noticeably less sophisticated than that used against the 2018 Winter Olympic games.

The sample itself attempts to social engineer recipients with a filename made up of Japanese Kanji characters, which translate to “[Urgent] About the damage report about the occurrence of cyber-attacks etc. accompanying the Tokyo Olympics .exe”. The sample’s icon is also that of a PDF file, enticing casual users – those who haven’t noticed the file’s extension is actually .exe and not .pdf – to click on the file and execute it.

The sample itself is not overly sophisticated, suggesting the attack has not been initiated by an APT group or nation state. Firstly, the sample is UPX packed. UPX is an old school packer, initially released in 1998 and though sometimes used for legitimate software, its use is often an indication of a potentially malicious sample. The sample uses a fairly basic method – described in more technical detail below – to obfuscate a number of strings. Of these strings, 42 are the names of processes for various malware analysis and reverse engineering tools. The sample will exit if it detects any of these processes executing, in a somewhat crude – by current standards – anti-analysis attempt.

List of Process Names
Figure 1: List of Process Names

 

The main purpose of the sample is to delete files matching 20 different file extensions, located in the user’s directory and any child directories below it. These include file extensions used by Ichitaro Word Processor, created by Japanese software company, Justsystems. This fact added to the Japanese filename of the sample, indicate it is targeted at Japanese users. The files the sample will attempt to delete have the extensions: doc, docm, docx, dot, dotm, dotx, pdf, csv, xls, xlsx, xlsm, ppt, pptx, pptm, jtdc, jttc, jtd, jtt, txt, exe, log.

The sample is somewhat rudimentary, utilizing a very common packer, some basic anti-analysis techniques; and restricts its file deletion targets to only the user’s directory, limiting its overall damage potential. However, given the second sample described by Fortinet was uploaded to VirusTotal only three days earlier, and did not include a wiper component, it appears this malware is under active development. No matter how basic the sample, it could still cause temporary disruption to a user’s day, a reminder to always be vigilant, no matter the degree of the threat.

The sample’s author uses a basic method to obfuscate strings, in which the bits in each byte of the string are reversed. Though simple, this makes the strings undetectable to casual analysis. In assembler language, this is achieved using the NOT command. The loop from the sample is shown in Figure 2, and Figure 3 shows the strings as they are stored in the binary of the sample.

String deobfuscation loop
Figure 2: String deobfuscation loop

Obfuscated strings stored in the sample
Figure 3: Obfuscated strings stored in the sample

These obfuscated strings can be deobfuscated en masse by extracting the obfuscated strings from the sample and then using a simple Python script to perform the equivalent of the NOT command, as seen below.

Python routine to deobfuscate strings
Figure 4: Python routine to deobfuscate strings

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The exact specifics of the attack vector are not publicly known; however, the samples were discovered after they were uploaded to VirusTotal.

When/How Did BluVector Detect It?

Two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown both samples would have been detected 92 months prior to their release.