McAfee has discovered malware that serves as the second-stage payload in a phishing campaign targeting organizations that are involved with the 2018 Winter Olympics.
McAfee is calling the implants GoldDragon, Brave Prince, Ghost419 and RunningRat. The company says that once the initial backdoor is installed, these new implants establish a permanent presence that siphons information from the victim’s computer.
The Gold Dragon implant allows for the downloading of subsequent malware payloads. Brave Prince and Ghost419 can collect content from the victim’s hard drive as well as detailed information about the computer. RunningRat is a remote access trojan (RAT) that is supposed to be able to collect keystrokes and clipboard information, delete and compress files, clear event logs, shut down the machine “and much more” according to McAfee. However, the researchers say there may not be a way a for RunningRat’s code to be executed.
The implants give attackers manual access to “any information they desire,” Ryan Sherstobitoff, senior analyst with McAfee Advanced Threat Research told CyberScoop in an email.
“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” Sherstobitoff and co-author Jessica Saavedra-Morales said in their report.
The previously reported backdoor is installed using code that’s embedded in the pixels of a hidden image file. The attack is delivered via a Microsoft Word document that appears to be from the South Korea National Counter-Terrorism Center. McAfee said in its earlier research that the document was emailed to several organizations in South Korea with some association to the Olympics.