KopiLuwak Backdoor Refreshed For G20 Cyberattack

Security researchers Proofpoint have issued an alert over a new malware dropper that seems to be aimed at diplomats and bureaucrats associated with the G20.

The researchers said that the Turla group, widely believed to be a Russian state-sponsored organisation, has refreshed the KopiLuwak JavaScript backdoor to target those associated with the G20.

This group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and in June this year it started using social media site Instagram as a means of staying hidden once they had infected a target network.

G20 Target

But now according to Proofpoint, Turla is using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. A dropper is a programme designed to install a piece of malware.

“The backdoor has been analysed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool,” the researchers warn.

“In this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the ‘Digital Economy’. The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany.”

“The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,.”

Proofpoint did admit that the delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by its researchers on a public malware repository.

But as it has been observed in the wild, it is reasonable to assume it has been delivered via Turla’s usual attack methods such as spear phishing or via a watering hole.

“Based on the theme of the decoy PDF, it is very possible that the intended targets are individuals or organisations that are on or have an interest in G20’s Digital Economy Task Force,” the researchers said. “This could include diplomats, experts in the areas of interest related to the Digital Economy Task Force, or possibly even journalists.”

Data Risk

It is thought that PCs running Windows are at risk from this threat.

“The JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak backdoor,” the researchers continue.

“KopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing arbitrary commands provided by the actor(s).”

Proofpoint said that it has notified CERT-Bund of this activity, and that it will  continue to track the activities associated both with this actor and these new tools.

Quiz: Think you know all about security in 2017?