Story image

Turla threat group targets G20 Summit attendees

21 Aug 17

Participants in this year’s G20 Summit in Germany are being targeted in a new wave of malware droppers, suspected to be from well-known Russian-speaking group called Turla.

The dropper is embedded in a decoy document that invites attendees, including G20 member nations, policymakers and journalists to the upcoming G20 task force meeting on the Digital Economy. The meeting is a genuine event, scheduled for October this year.

A new .NET/MSIL dropper is being used through a backdoor called JS/KopiLuwak. The G20 invite is used as a decoy PDF which then executes a JavaScript dropper. That dropper then installs a JavaScript decryptor, which in turns installs the KopiLuwak backdoor in memory only.

The Turla group has previously used the backdoor and according to Proofpoint researchers, is being used as an early-stage reconnaissance tool.

“ The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,” researcher Darien Huss states in a Proofpoint blog.

Huss also says that the PDF decoy invite is not publicly available, suggesting that an organisation or entity that already has access to the invite has been compromised as well – or a recipient may have legitimately given the document to the Turla group.

“Proofpoint researchers ascertain with medium confidence that the document is legitimate and not fabricated. One piece of evidence suggesting that the document could be authentic is that in the document’s exif metadata, the creator tool is listed as ‘BE.D4.113.1’ which matches another PDF document that appears to have been scanned and is hosted on the Bundesministerium für Wirtschaft und Energie website,” Huss explains.

The Turla group has established itself as a well-known cybercrime gang that deals in advanced persistent threats. Proofpoint researchers suspect the group is state-sponsored by Russia. The group has been responsible for a number of attacks, including the US Central Command breach and Swiss technology company RUAG.

Proofpoint researchers that any PCs that use the .NET framework are potentially at risk, although the full risk can’t yet be assessed.

“The delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by Proofpoint researchers on a public malware repository. Assuming this variant of KopiLuwak has been observed in the wild, there are a number of ways it may have been delivered including some of Turla’s previous attack methods such as spear phishing or via a watering hole,” Huss explains in the blog.

The JavaScript dropper could potentially profile the victim’s system, establish persistence and install the KopiLuwak backdoor. The backdoor could then exfiltrate data, download payloads and execute arbitrary demands from the actor.

Proofpoint says it has notified Germany’s Computer Emergency Response Team (CERT-Bund) about the issue.

“The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” Huss concludes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."