Olympic Destroyer is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.
Olympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.
|Enterprise||T1081||Credentials in Files|
|Enterprise||T1070||Indicator Removal on Host|
|Enterprise||T1490||Inhibit System Recovery||
Olympic Destroyer uses the native Windows utilities
|Enterprise||T1135||Network Share Discovery|
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1018||Remote System Discovery|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1077||Windows Admin Shares|
|Enterprise||T1047||Windows Management Instrumentation|