28th July 2021, Kathmandu
Wiper: An Olympics-themed malware sample that accommodates functionality to wipe files on infected systems and happens to be targeted at Japanese PCs has been discovered by a Japanese security firm.
The wiper malware was discovered two days before the opening ceremony for the 2021 Tokyo Olympics, programmed to require place this Friday.
It was found and analyzed by Mitsui Bussan Secure Directions (MBSD), a Japanese security firm. According to MBSD’s research, the malware won’t wipe all of a computer’s data, rather looks only for certain file types located in the user’s personal Windows folder, located at “C:/Users/<username>/.”
Microsoft Office files, TXT, LOG, and CSV files, which can hold logs, databases, or password information, are also targeted for deletion.
Besides, the files created with the Ichitaro Japanese word processor (emboldened below) are also aimed by wiper, which has led the MBSD team to trust that the wiper was explicitly designed to hit computers in Japan—where the Ichitaro app is typically downloaded.
Targeted extensions:
EXE, LOG, TXT, JTD, DOTM, DOTX, PDF, CSV, XLS, XLSX, XLSM, PPT, PPTX, PPTM, JTDC, JTTC, JTT
A raft of anti-analysis and anti-VM detection techniques are some other features discovered in the wiper, which are specifically there to prevent the malware from being easily analyzed and tested and the ability for the malware to delete itself once the wiping operation has ended.
Adult traffic use as a disguise
The most exciting functionality is that the wiper also utilizes the cURL app to enter pages on the XVideos adult video portal in time the wiping behavior is taking place.
According to the MSBD team, such behavior was put to fool the forensic researchers that the wiping behavior took place as the user got infirmity to it while accessing the porn sites.
Nevertheless, the MBSD team noted that the wiper was discovered in a Windows EXE file that was customized to look like a PDF file named: [Urgent] Damage report regarding the occurrence of cyber-attacks, etc. associated with the Tokyo Olympics.exe
“Because the wiper malware is camouflaged using a PDF icon and only hits data under the Users folder, it is accepted that the malware is considered to infect users who don’t have admin level rights,” MBSD researchers Takashi Yoshikawa and Kei Sugawara noted on Tuesday.
For the time being, only one copy of this malware sample was detected, which is then uploaded on VirusTotal on Tuesday, July 20.
Possible cyberattacks aimed at the Olympics, warns the FBI
A day after the US Federal Bureau of Investigation released a private industry alert [PDF] to US organizations about the probability that attackers might target the Tokyo Olympics this year, the wiper’s discovery came out.
As a known fact, during the last two Olympic Games, cyberattacks by Russia’s military hacking groups have taken place.
Under the Russian flags considering a state-sponsored doping scandal, the APT (Fancy Bear) group exploited the World Anti-Doping Agency (WADA) in August 2016, which was then leaked on the internet after Russian athletes were restricted from participating in the Rio 2016 Summer Olympics.
As the ban was elongated for the PyeongChang 2018 Winter Olympics, Russian hackers employed the Olympic Destroyer wiper during the games’ opening ceremony with the aim to wipe out the organizers’ internal network.
Still, the restrictions on Russian athletes competing under the Russian flag are placed for the Tokyo Olympics.
