KopiLuwak Backdoor Refreshed For G20 Cyberattack

Security researchers Proofpoint have issued an alert over a new malware dropper that seems to be aimed at diplomats and bureaucrats associated with the G20.

The researchers said that the Turla group, widely believed to be a Russian state-sponsored organisation, has refreshed the KopiLuwak JavaScript backdoor to target those associated with the G20.

This group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and in June this year it started using social media site Instagram as a means of staying hidden once they had infected a target network.

G20 Target

But now according to Proofpoint, Turla is using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. A dropper is a programme designed to install a piece of malware.

“The backdoor has been analysed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool,” the researchers warn.

“In this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the ‘Digital Economy’. The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany.”

“The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,.”

Proofpoint did admit that the delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by its researchers on a public malware repository.

But as it has been observed in the wild, it is reasonable to assume it has been delivered via Turla’s usual attack methods such as spear phishing or via a watering hole.

“Based on the theme of the decoy PDF, it is very possible that the intended targets are individuals or organisations that are on or have an interest in G20’s Digital Economy Task Force,” the researchers said. “This could include diplomats, experts in the areas of interest related to the Digital Economy Task Force, or possibly even journalists.”

Data Risk

It is thought that PCs running Windows are at risk from this threat.

“The JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak backdoor,” the researchers continue.

“KopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing arbitrary commands provided by the actor(s).”

Proofpoint said that it has notified CERT-Bund of this activity, and that it will  continue to track the activities associated both with this actor and these new tools.

Quiz: Think you know all about security in 2017?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

7 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

7 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

8 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

8 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

9 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

9 hours ago