sb-as logo
Story image

Turla threat group targets G20 Summit attendees

21 Aug 2017

Participants in this year’s G20 Summit in Germany are being targeted in a new wave of malware droppers, suspected to be from well-known Russian-speaking group called Turla.

The dropper is embedded in a decoy document that invites attendees, including G20 member nations, policymakers and journalists to the upcoming G20 task force meeting on the Digital Economy. The meeting is a genuine event, scheduled for October this year.

A new .NET/MSIL dropper is being used through a backdoor called JS/KopiLuwak. The G20 invite is used as a decoy PDF which then executes a JavaScript dropper. That dropper then installs a JavaScript decryptor, which in turns installs the KopiLuwak backdoor in memory only.

The Turla group has previously used the backdoor and according to Proofpoint researchers, is being used as an early-stage reconnaissance tool.

“ The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,” researcher Darien Huss states in a Proofpoint blog.

Huss also says that the PDF decoy invite is not publicly available, suggesting that an organisation or entity that already has access to the invite has been compromised as well – or a recipient may have legitimately given the document to the Turla group.

“Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One piece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the creator tool is listed as ‘BE.D4.113.1’ which matches another PDF document that appears to have been scanned and is hosted on the Bundesministerium für Wirtschaft und Energie website,” Huss explains.

The Turla group has established itself as a well-known cybercrime gang that deals in advanced persistent threats. Proofpoint researchers suspect the group is state-sponsored by Russia. The group has been responsible for a number of attacks, including the US Central Command breach and Swiss technology company RUAG.

Proofpoint researchers that any PCs that use the .NET framework are potentially at risk, although the full risk can’t yet be assessed.

“The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in the wild, there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole,” Huss explains in the blog.

The JavaScript dropper could potentially profile the victim’s system, establish persistence and install the KopiLuwak backdoor. The backdoor could then exfiltrate data, download payloads and execute arbitrary demands from the actor.

Proofpoint says it has notified Germany’s Computer Emergency Response Team (CERT-Bund) about the issue.

“The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” Huss concludes.

Story image
SMEs treading water against 'endless volley' of cyber-attacks — report
According to a new report from Cynet, these SMEs are resorting to outsourcing some aspects of their threat mitigation in order to safeguard IT assets, as a result of the heightened risk of serious breaches.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
Aruba ClearPass recognised by independent evaluation program
Aruba’s ClearPass Security Portfolio has recevived the coveted Cyber Catalyst designation, according to a statement from the company. More
Story image
Phishing email attacks targeting remote workers on the rise
“Just because employees may be more used to their home office environment doesn’t mean that they can let their guard down."More
Story image
Dark net vendors wanting Bitcoin payments for unverified COVID-19 vaccines
As the medicines are being offered on the dark net, purchasers have no way of knowing whether they are genuine, according to Check Point.More
Story image
App security not keeping up with rapid development — Radware
“With more than 70% of respondents reporting that their production apps have already left the data centre, ensuring the security and integrity of these data and applications is becoming more challenging, particularly in multi-cloud environments.”More