New Olympic Destroyer variant being distributed by the Hades APT group

• The Hades APT group is believed to be the developer and distributor of the Olympic Destroyer malware.
• The malware was deployed against the Winter Olympic Games earlier this year.

A new variant of the Olympic Destroyer malware has been observed in the wild. The malware, which was deployed against the Winter Olympic Games in South Korean earlier this year, is a wiper malware.

The new variant comes with several improvements, which hints at the possibility that the Hades APT may have been evolving. Since the attack on the Winter Olympics earlier this year, Hades has deployed the malware against various other targets via phishing emails. According to security researchers at Check Point, the new variant indicates Hades has become aware of various research on the malware and is attempting to make it difficult for various researchers to identify its malicious activities.

“Hades is known to utilize publicly available tools for reconnaissance and post-exploitation. This makes analysis and detection of the first stage of the attack even more important as it becomes one of the only ways to distinguish this group’s operations from others’ and to track their activity worldwide,” Check Point researchers said in a report.

Modus operandi

Check Point researchers discovered that the first sample of the new variant of the Olympic Destroyer was uploaded to Virus Total in October from Ukraine. The malware uses code that is similar to the ones used by previous Hades’ droppers. The malware also contains anti-analysis and delayed execution features.

“These new features proved to be effective, as popular online sandboxes failed to see any launched processes or network activity, and with some, the dropper appeared to be totally benign,” Check Point researchers said.

In the recent campaign, victims are offered a black page. However, once the macros are enabled, the white text changes to black and the content is revealed. The malware is also designed such that the macro itself performs sandbox evasion.

“Hades shows no signs of slowing down their operation, as their capabilities are growing alongside their victims' list,” Check Point researchers added. “Every time Hades introduced a new dropper iteration, only a small amount of AV vendors could successfully detect them as malicious. This fact makes it more than likely that most of Hades’ operations remain under the radar.”