Olympic Destroyer

Olympic Destroyer is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.[1]

ID: S0365
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1003Credential DumpingOlympic Destroyer contains a module that tries to obtain credentials from LSASS, similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.[1]
EnterpriseT1081Credentials in FilesOlympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1]
EnterpriseT1485Data DestructionOlympic Destroyer overwrites files locally and on remote shares. It deletes and disables system recovery files and features such as the Windows backup catalog and Windows Automatic Repair. [1]
EnterpriseT1070Indicator Removal on HostOlympic Destroyer will attempt to clear the System and Security event logs using wevtutil.[1]
EnterpriseT1490Inhibit System RecoveryOlympic Destroyer uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features.[1]
EnterpriseT1135Network Share DiscoveryOlympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.[1]
EnterpriseT1105Remote File CopyOlympic Destroyer attempts to copy itself to remote machines on the network.[1]
EnterpriseT1018Remote System DiscoveryOlympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.[1]
EnterpriseT1035Service ExecutionOlympic Destroyer utilizes PsExec to help propagate itself across a network.[1]
EnterpriseT1489Service StopOlympic Destroyer uses the API call ChangeServiceConfigW to disable all services on the affected system.[1]
EnterpriseT1016System Network Configuration DiscoveryOlympic Destroyer uses API calls to enumerate the infected system's ARP table.[1]
EnterpriseT1077Windows Admin SharesOlympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.[1][2]
EnterpriseT1047Windows Management InstrumentationOlympic Destroyer uses WMI to help propagate itself across a network.[1]