Story image

Turla threat group targets G20 Summit attendees

21 Aug 2017

Participants in this year’s G20 Summit in Germany are being targeted in a new wave of malware droppers, suspected to be from well-known Russian-speaking group called Turla.

The dropper is embedded in a decoy document that invites attendees, including G20 member nations, policymakers and journalists to the upcoming G20 task force meeting on the Digital Economy. The meeting is a genuine event, scheduled for October this year.

A new .NET/MSIL dropper is being used through a backdoor called JS/KopiLuwak. The G20 invite is used as a decoy PDF which then executes a JavaScript dropper. That dropper then installs a JavaScript decryptor, which in turns installs the KopiLuwak backdoor in memory only.

The Turla group has previously used the backdoor and according to Proofpoint researchers, is being used as an early-stage reconnaissance tool.

“ The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,” researcher Darien Huss states in a Proofpoint blog.

Huss also says that the PDF decoy invite is not publicly available, suggesting that an organisation or entity that already has access to the invite has been compromised as well – or a recipient may have legitimately given the document to the Turla group.

“Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One piece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the creator tool is listed as ‘BE.D4.113.1’ which matches another PDF document that appears to have been scanned and is hosted on the Bundesministerium für Wirtschaft und Energie website,” Huss explains.

The Turla group has established itself as a well-known cybercrime gang that deals in advanced persistent threats. Proofpoint researchers suspect the group is state-sponsored by Russia. The group has been responsible for a number of attacks, including the US Central Command breach and Swiss technology company RUAG.

Proofpoint researchers that any PCs that use the .NET framework are potentially at risk, although the full risk can’t yet be assessed.

“The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in the wild, there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole,” Huss explains in the blog.

The JavaScript dropper could potentially profile the victim’s system, establish persistence and install the KopiLuwak backdoor. The backdoor could then exfiltrate data, download payloads and execute arbitrary demands from the actor.

Proofpoint says it has notified Germany’s Computer Emergency Response Team (CERT-Bund) about the issue.

“The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” Huss concludes.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.