Glider from the game of Life, rising from the left




Topic: #OlympicDestroyer

Analyzing False-Flag-Bearing Malware


One of the main difficulties in determining the origins and intentions of network-based attacks on the security of systems is that many attackers deliberately try to mislead analysts and often succeed. Here's a detailed description of a case in which the attackers attempted to fly a false flag but (probably) did not deceive the analysts.

“The Devil's in the Rich Header”
“GReAT”, SecureList, March 8, 2018

The case is the attack against some of the servers used to organize and run the 2018 Winter Olympics in Pyeongcheng. Some of the malware files installed by the attackers had been compiled with Microsoft Visual Studio and so contained metadata headers for the Microsoft linker to process. But at least one of the metadata headers had been replaced at some point after the linked binary executable had been produced. The replacement header came from a much earlier version of Microsoft Visual Studio that couldn't possibly have been used to produce the executable (which referred to dynamically linked libraries that didn't exist at the time of the earlier version). It was, however, an exact duplicate of a header on a file from a previously known malware package, one that the analysts had already attributed to an attack team they called “Lazarus.” The file that originally bore that header performed a similar function, but in a more limited way that used fewer system calls.

The existence of the fake Rich header from Lazarus samples in the new OlympicDestroyer samples indicates an intricate false flag operation designed to attribute this attack to the Lazarus group. The attacker's knowledge of the Rich header is complemented by their gamble that a security researcher would discover it and use it for attribution. … This newly published research consolidates the theory that blaming the Lazarus group for the attack was parts of the attacker's strategy.

#false-flag-operations #attribution #OlympicDestroyer

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018