Security researchers Proofpoint have issued an alert over a new malware dropper that seems to be aimed at diplomats and bureaucrats associated with the G20.
The researchers said that the Turla group, widely believed to be a Russian state-sponsored organisation, has refreshed the KopiLuwak JavaScript backdoor to target those associated with the G20.
This group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and in June this year it started using social media site Instagram as a means of staying hidden once they had infected a target network.
But now according to Proofpoint, Turla is using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. A dropper is a programme designed to install a piece of malware.
“The backdoor has been analysed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool,” the researchers warn.
“In this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the ‘Digital Economy’. The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany.”
“The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,.”
Proofpoint did admit that the delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by its researchers on a public malware repository.
But as it has been observed in the wild, it is reasonable to assume it has been delivered via Turla’s usual attack methods such as spear phishing or via a watering hole.
“Based on the theme of the decoy PDF, it is very possible that the intended targets are individuals or organisations that are on or have an interest in G20’s Digital Economy Task Force,” the researchers said. “This could include diplomats, experts in the areas of interest related to the Digital Economy Task Force, or possibly even journalists.”
It is thought that PCs running Windows are at risk from this threat.
“The JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak backdoor,” the researchers continue.
“KopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing arbitrary commands provided by the actor(s).”
Proofpoint said that it has notified CERT-Bund of this activity, and that it will continue to track the activities associated both with this actor and these new tools.
Quiz: Think you know all about security in 2017?
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…