G20 event invite decoy for new malware dropper

Proofpoint researchers believe Russian state-sponsored group wants to dupe diplomats

Bureaucrats and diplomats may have fallen victim to a new malware dropper, delivered under the guise of a G20 ‘save the date’ document.

Proofpoint researchers have today observed a group called Turla – which the security company believes to be a Russian state-sponsored organisation – using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak.

The dropper – the programme designed to install a piece of malware – is being delivered with .pdf of an invite to attend a G20 task force meeting on the ‘Digital Economy’.

The event is a real one, scheduled for October of this year in Hamburg, Germany. The document purports to be from the German Federal Ministry for Economic Affairs and Energy, and features the G20 logo on the letterhead.

“As far as we are aware, this document is not publicly available and so may indicate that an entity with access to the invitation was already compromised,” said Proofpoint researcher Darien Huss. “Alternatively, the document may have been legitimately obtained from a recipient.”

PDF decoy invitation to a G20 Digital Economy Taskforce meeting
PDF decoy invitation to a G20 Digital Economy Taskforce meeting

Thanks to analysis of the documents the document’s exif metadata, Huss said he could say with “medium confidence that the document is legitimate and not fabricated”.

Red alert

For PCs running the .NET framework – which includes most modern Windows operating systems – the potential impact of the malware is significant.

“The JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak backdoor. KopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing arbitrary commands provided by the actor,” Proofpoint analysis notes.

Huss, who discovered the kill switch for the devastating WannaCry attack earlier this year, said the malware had not yet been observed in the wild, but was obtained from a public malware repository.

“[Because of this] the full scope and impact of the attack or, possibly pending attack, cannot be fully assessed. The high profile of potentially targeted individuals associated with the G20 and early reconnaissance nature of the tools involved bear further watching,” he said.

The Turla APT group, also known as Snake and Uroboros, is one the most advanced threat actors in the world and have been active for around a decade, according to Kaspersky.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareproofpointespionagerussiaG20backdoorcyberdiplomacyTurladropper

More about APTKasperskyProofpoint

Show Comments