Story image

Turla threat group targets G20 Summit attendees

21 Aug 2017

Participants in this year’s G20 Summit in Germany are being targeted in a new wave of malware droppers, suspected to be from well-known Russian-speaking group called Turla.

The dropper is embedded in a decoy document that invites attendees, including G20 member nations, policymakers and journalists to the upcoming G20 task force meeting on the Digital Economy. The meeting is a genuine event, scheduled for October this year.

A new .NET/MSIL dropper is being used through a backdoor called JS/KopiLuwak. The G20 invite is used as a decoy PDF which then executes a JavaScript dropper. That dropper then installs a JavaScript decryptor, which in turns installs the KopiLuwak backdoor in memory only.

The Turla group has previously used the backdoor and according to Proofpoint researchers, is being used as an early-stage reconnaissance tool.

“ The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,” researcher Darien Huss states in a Proofpoint blog.

Huss also says that the PDF decoy invite is not publicly available, suggesting that an organisation or entity that already has access to the invite has been compromised as well – or a recipient may have legitimately given the document to the Turla group.

“Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One piece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the creator tool is listed as ‘BE.D4.113.1’ which matches another PDF document that appears to have been scanned and is hosted on the Bundesministerium für Wirtschaft und Energie website,” Huss explains.

The Turla group has established itself as a well-known cybercrime gang that deals in advanced persistent threats. Proofpoint researchers suspect the group is state-sponsored by Russia. The group has been responsible for a number of attacks, including the US Central Command breach and Swiss technology company RUAG.

Proofpoint researchers that any PCs that use the .NET framework are potentially at risk, although the full risk can’t yet be assessed.

“The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in the wild, there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole,” Huss explains in the blog.

The JavaScript dropper could potentially profile the victim’s system, establish persistence and install the KopiLuwak backdoor. The backdoor could then exfiltrate data, download payloads and execute arbitrary demands from the actor.

Proofpoint says it has notified Germany’s Computer Emergency Response Team (CERT-Bund) about the issue.

“The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” Huss concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.