{ "id": "0254c7cd-c6a4-4ad7-a2d8-bf3b6724ad44", "created_at": "2026-04-06T00:12:42.532562Z", "updated_at": "2026-04-10T03:38:20.025264Z", "deleted_at": null, "sha1_hash": "fd05f14b76a19c448f87dddd8f025ffe4170dcc8", "title": "The devil’s in the Rich header", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 279377, "plain_text": "The devil’s in the Rich header\r\nBy GReAT\r\nPublished: 2018-03-08 · Archived: 2026-04-05 17:08:53 UTC\r\nIn our previous blog, we detailed our findings on the attack against the Pyeongchang 2018 Winter Olympics. For\r\nthis investigation, our analysts were provided with administrative access to one of the affected servers, located in a\r\nhotel based in Pyeongchang county, South Korea. In addition, we collected all available evidence from various\r\nprivate and public sources and worked with several companies to investigate the command and control (C\u0026C)\r\ninfrastructure associated with the attackers.\r\nDuring this investigation, one thing stood out – the attackers had pretty good operational security and made almost\r\nno mistakes. Some of our colleagues from other companies pointed out similarities with Chinese APT groups and\r\nLazarus. Yet, something about these potential connections didn’t quite add up. This made us look deeper for more\r\nclues.\r\nThe attackers behind OlympicDestroyer employed several tricks to make it look similar to the malicious samples\r\nattributed to the Lazarus group. The main module of OlympicDestroyer carries five additional binaries in its\r\nresources, named 101 to 105 respectively. It is already known that resources 102 and 103, with the internal names\r\n‘kiwi86.dll’ and ‘kiwi64.dll’ share considerable amounts of code with other known malware families only because\r\nthey are built on top of the Mimikatz open-source tool. Resource 105, however is much more interesting in terms\r\nof attribution.\r\nResource 105 is the ‘wiper‘ component of OlympicDestroyer. This binary launches a destructive attack on the\r\nvictim’s network; it removes shadow copy backups, traverses the shared folders on the networks and wipes files.\r\nAnyone familiar with the wipers attributed to the Lazarus group will find strong similarities in the file deletion\r\nroutines:\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 1 of 7\n\nFile deletion routines.\r\nTo the left 3c0d740347b0362331c882c2dee96dbf (OlympicDestroyer), on the right\r\n1d0e79feb6d7ed23eb1bf7f257ce4fee (BlueNoroff by Lazarus).\r\nBoth functions do essentially the same thing: they delete the file by wiping it with zeroes, using a 4096 bytes\r\nmemory block. The minor difference here is that the original Bluenoroff routine doesn’t just return after wiping\r\nthe file, but also renames it to a new random name and then deletes it. So, the similar code may be considered as\r\nno more than a weak link.\r\nA much more interesting discovery appeared when we started looking for various kinds of metadata of the PE file.\r\nIt turned out that that the wiper component of OlympicDestroyer contained the exact ‘Rich’ header that appeared\r\npreviously in Bluenoroff samples.\r\nMZ DOS and Rich headers of both files (3c0d740347b0362331c882c2dee96dbf – OlympicDestroyer,\r\n5d0ffbc8389f27b0649696f0ef5b3cfe – BlueNoroff) are exactly the same.\r\nThis provided us with an interesting clue: if files from both the OlympicDestroyer and Bluenoroff families shared\r\nthe same Rich header it meant that they were built using the same environment and, having already found some\r\nsimilarities in the code, this could have meant that there is a real link between them. To test this theory, we needed\r\nto investigate the contents of the Rich header.\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 2 of 7\n\nThe Rich header is an undocumented structure that appears in most of the PE files generated with the ‘LINK.EXE’\r\ntool by Microsoft. Effectively, any binary built using the standard Microsoft Visual Studio toolset contains this\r\nheader. There is no official documentation describing this structure, but there is enough public information that\r\ncan be found on the internet, and there is also the LINK.EXE itself that can be reverse engineered. So, what is a\r\nRich header?\r\nA Rich header is a structure that is written right after the MZ DOS header. It consists of pairs of 4-byte integers. It\r\nstarts with the magic value, ‘DanS’ and ends with a ‘Rich’ followed by a checksum. And it is also encrypted using\r\na simple XOR operation using the checksum as the key. The data between the magic values encodes the ‘bill of\r\nmaterials’ that were collected by the linker to produce the binary.\r\nOffset First value Second value Description\r\n00 44 61 6E 53 (“DanS”) 00 00 00 00 Beginning of the header\r\n08 00 00 00 00 00 00 00 00 Empty record\r\n10 Tool id, build version Number of items Bill of materials record #1\r\n…      \r\n… 52 69 63 68 “Rich” Checksum / XOR key End of the header\r\nThe first value of each record is a tool identifier: the unique number of the tool (‘C++ compiler’, ‘C compiler’,\r\n‘resource compiler’, ‘MASM’, etc.), a Visual Studio specific, and the lowest 16 bits of the build number of the\r\ntool. The second value is a little-endian integer that is a number of items that were produced by the tool. For\r\nexample, if the application consists of three source C++ files, there will be a record with a tool id corresponding to\r\nthe C++ compiler, and the item count will be exactly ‘3’.\r\nThe Rich header in OlympicDestroyer’s wiper component can be decoded as follows:\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 3 of 7\n\nRaw data         Type         Count      Produced by\r\n========================================================\r\n000C 1C7B 00000001   oldnames          1    12 build 7291\r\n000A 1F6F 0000000B   cobj             11    VC 6 (build 8047)\r\n000E 1C83 00000005   masm613           5    MASM 6 (build 7299)\r\n0004 1F6F 00000004   stdlibdll         4    VC 6 (build 8047)\r\n005D 0FC3 00000007   sdk/imp           7    VC 2003 (build 4035)\r\n0001 0000 0000004D   imports          77    imports (build 0)\r\n000B 2636 00000003   c++obj            3    VC 6 (build 9782)\r\nIt is a typical example of a header for a binary created with Visual Studio 6. The ‘masm613’ items were most\r\nlikely taken from the standard runtime library, while the items marked as ‘VC 2003’ correspond to libraries\r\nimported from a newer Windows SDK – the code uses some Windows API functions that were missing at the time\r\nVC 6 was released. So, basically it looks like a C++ application having three source code files and using a slightly\r\nnewer SDK to link the Windows APIs. The description perfectly matches the contents of the Bluenoroff sample\r\nthat has the same Rich header (i.e. 5d0ffbc8389f27b0649696f0ef5b3cfe).\r\nWe get very different results when trying to check the validity of the Rich header’s entries against the actual\r\ncontents of OlympicDestroyer wiper’s component. Even a quick visual inspection of the file shows something\r\nvery unusual for a file created with Visual Studio 6: references to ‘mscoree.dll’ that did not exist at the time.\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 4 of 7\n\nReferences to “mscoree.dll” and error messages typical for the MSVC libraries\r\nAfter some experimentation and careful comparison of binaries generated by different versions of Visual Studio,\r\nwe can name the actual version of Studio that was used: it is Visual Studio 2010 (MSVC 10). Our best proof is the\r\ncode of the ___tmainCRTStartup function that is only produced with the runtime library of MSVC 10 (DLL\r\nruntime) using default optimizations.\r\nBeginning of the disassembly of the ___tmainCRTStartup function of the OlympicDestroyer’s wiper component,\r\n3c0d740347b0362331c882c2dee96dbf\r\nIt is not possible that the binary was produced with a standard linker and was built using the MSVC 2010 runtime,\r\nhaving the 2010’s startup code invoking the WinMain function and at the same time did not have any Rich records\r\nreferring to VC/VC++ 2010. At the same time, it could not have the same number of Rich records for the VC6\r\ncode that is missing from the binary!\r\nA binary produced with Visual Studio 2010 and built from the same code (decompiled), having the same startup\r\ncode and almost identical to the wiper’s sample will have a Rich header that is totally different:\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 5 of 7\n\nRaw data         Type         Count      Produced by\r\n================================================================\r\n009E 9D1B 00000008   masm10            8    VC 2010 (build 40219)\r\n0093 7809 0000000B   sdk/imp          11    VC 2008 (build 30729)\r\n0001 0000 00000063   imports          99    imports (build 0)\r\n00AA 9D1B 0000003A   cobj             58    VC 2010 (build 40219)\r\n00AB 9D1B 0000000E   c++obj           14    VC 2010 (build 40219)\r\n009D 9D1B 00000001   linker            1    157 build 40219\r\nThe only reasonable conclusion that can be made is that the Rich header in the wiper was deliberately copied from\r\nthe Bluenoroff samples; it is a fake and has no connection with the contents of the binary. It is not possible to\r\ncompletely understand the motives of this action, but we know for sure that the creators of OlympicDestroyer\r\nintentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.\r\nThe forgotten sample\r\nDuring the course of our investigation, we came across a sample that further consolidates the theory of the Rich\r\nheader false flag from Lazarus.\r\nThe sample, 64aa21201bfd88d521fe90d44c7b5dba was uploaded to a multi-scanner service from France on 2018-\r\n02-09 13:46:23, as ‘olymp.exe’. This is a version of the wiper malware described above, with several important\r\nchanges:\r\nThe 60 minutes delay before shutdown was removed\r\nCompilation timestamp is 2018-02-09 10:42:19\r\nThe Rich header appears legit\r\nThe removal of the 60 minutes’ delay indicates the attackers were probably in a rush and didn’t want to wait\r\nbefore shutting down the systems. Also, if true, the compilation timestamp 2018-02-09 10:42:19 puts it right after\r\nthe attack on the Pyeonchang hotels, which took place at around 9:00 a.m. GMT. This suggests the attackers\r\ncompiled this ‘special’ sample after the wiping attack against the hotels and, likely as a result of their hurry, forgot\r\nto fake the Rich header.\r\nConclusion\r\nThe existence of the fake Rich header from Lazarus samples in the new OlympicDestroyer samples indicates an\r\nintricate false flag operation designed to attribute this attack to the Lazarus group. The attackers’ knowledge of the\r\nRich header is complemented by their gamble that a security researcher would discover it and use it for\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 6 of 7\n\nattribution. Although we discovered this overlap on February 13th\r\n, it seemed too good to be true. On the contrary,\r\nit felt like a false flag from the beginning, which is why we refrained from making any connections with previous\r\noperations or threat actors. This newly published research consolidates the theory that blaming the Lazarus group\r\nfor the attack was parts of the attackers’ strategy.\r\nWe would like to ask other researchers around the world to join us in investigating these false flags and\r\nattempt to discover more facts about the origin of OlympicDestroyer.\r\nIf you would like to read more about Rich header, we can recommend a nice presentation on this from George\r\nWebster and Julian Kirsch or Technical University of Munich:\r\nhttps://infocon.hackingand.coffee/Hacktivity/Hacktivity%202016/Presentations/George_Webster-and-Julian-Kirsch.pdf.\r\nIOCs:\r\n3c0d740347b0362331c882c2dee96dbf – wiper with the fake Lazarus Rich header\r\n64aa21201bfd88d521fe90d44c7b5dba – wiper the original Rich header and no delay before shutdown\r\nSource: https://securelist.com/the-devils-in-the-rich-header/84348/\r\nhttps://securelist.com/the-devils-in-the-rich-header/84348/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/the-devils-in-the-rich-header/84348/" ], "report_names": [ "84348" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434362, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd05f14b76a19c448f87dddd8f025ffe4170dcc8.pdf", "text": "https://archive.orkl.eu/fd05f14b76a19c448f87dddd8f025ffe4170dcc8.txt", "img": "https://archive.orkl.eu/fd05f14b76a19c448f87dddd8f025ffe4170dcc8.jpg" } }