sb-nz logo
Story image

Turla threat group targets G20 Summit attendees

21 Aug 2017

Participants in this year’s G20 Summit in Germany are being targeted in a new wave of malware droppers, suspected to be from well-known Russian-speaking group called Turla.

The dropper is embedded in a decoy document that invites attendees, including G20 member nations, policymakers and journalists to the upcoming G20 task force meeting on the Digital Economy. The meeting is a genuine event, scheduled for October this year.

A new .NET/MSIL dropper is being used through a backdoor called JS/KopiLuwak. The G20 invite is used as a decoy PDF which then executes a JavaScript dropper. That dropper then installs a JavaScript decryptor, which in turns installs the KopiLuwak backdoor in memory only.

The Turla group has previously used the backdoor and according to Proofpoint researchers, is being used as an early-stage reconnaissance tool.

“ The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,” researcher Darien Huss states in a Proofpoint blog.

Huss also says that the PDF decoy invite is not publicly available, suggesting that an organisation or entity that already has access to the invite has been compromised as well – or a recipient may have legitimately given the document to the Turla group.

“Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One piece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the creator tool is listed as ‘BE.D4.113.1’ which matches another PDF document that appears to have been scanned and is hosted on the Bundesministerium für Wirtschaft und Energie website,” Huss explains.

The Turla group has established itself as a well-known cybercrime gang that deals in advanced persistent threats. Proofpoint researchers suspect the group is state-sponsored by Russia. The group has been responsible for a number of attacks, including the US Central Command breach and Swiss technology company RUAG.

Proofpoint researchers that any PCs that use the .NET framework are potentially at risk, although the full risk can’t yet be assessed.

“The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in the wild, there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole,” Huss explains in the blog.

The JavaScript dropper could potentially profile the victim’s system, establish persistence and install the KopiLuwak backdoor. The backdoor could then exfiltrate data, download payloads and execute arbitrary demands from the actor.

Proofpoint says it has notified Germany’s Computer Emergency Response Team (CERT-Bund) about the issue.

“The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” Huss concludes.

Story image
Five things ANZ businesses should know about storing customers’ data
Businesses need to correlate events intelligently across multiple threat surfaces, application layers, and time spans to connect event A, to event B, to event C — even if they are months apart.More
Story image
Software-based facial recognition in payments industry to dominate by 2025
There will be more than 1.4 billion users of facial recognition software used for payments alone in 2025, up from 671 million in 2020.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Gigamon & FireEye tackle security in hybrid cloud environments
The partnership is an extension to a ‘long-standing’ relationship that aims to ‘simplify, secure, and optimise hybrid cloud environments’.More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More