Security Experts:

Turla Cyberspies Use New Dropper in G20 Attacks

The Russia-linked cyber espionage group known as Turla has been using a new malware dropper in attacks apparently aimed at entities interested in G20, security firm Proofpoint reported last week.

G20 is an international forum for governments and central banks from all continents. The G20 Summit was held last month in Hamburg, Germany, and other events are scheduled to take place in the same city later this year, including the Task Force “Digital Economy” meeting in October 23 - 24.

A document announcing the Digital Economy meeting has apparently been used by Turla as a decoy to deliver a new .NET/MSIL dropper, which deploys a recently discovered JavaScript backdoor tracked as KopiLuwak.

The decoy document appears to come from Germany’s Federal Ministry for Economic Affairs and Energy, and researchers believe the file is likely legitimate. The document does not appear to be publicly available, which indicates that it may have been obtained by the attackers from an entity that received the file.

Proofpoint highlighted that the decoy document’s metadata shares similarities to a legitimate PDF file hosted on the website of the Federal Ministry for Economic Affairs and Energy, including the author’s name (BE.D4.113.1) and the device it was created with (KONICA MINOLTA bizhub C284e).

The new dropper delivered alongside this document is stored in a file named Scr.js, which creates a scheduled task for persistence and executes various commands to obtain information about the infected device. The dropper looks for the presence of Kaspersky security products before dropping the KopiLuwak backdoor, which is not surprising considering that Kaspersky Lab was the first to analyze KopiLuwak.

Researchers pointed out that the dropper code is not obfuscated and it does not include any anti-analysis mechanisms. In older versions of KopiLuwak, the backdoor itself was in charge of fingerprinting the system, but the functionality has now been moved to the dropper.

Since Proofpoint’s analysis is based on files obtained from a public malware repository, it’s unclear who was targeted in this attack. However, based on the theme of the decoy document, the most likely targets are individuals and organizations interested in the G20 event. This can include member countries, policy makers and journalists.

Turla has been active since at least 2007 and is believed to be responsible for several high-profile attacks, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command. The group is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig).

This spring, Turla and another Russia-linked threat group, known as APT28 and Fancy Bear, had been spotted exploiting zero-day vulnerabilities in Microsoft products.

Related: Turla Linked to One of the Earliest Cyberespionage Operations

Related: Turla Group Improves Carbon Backdoor

Related: Turla Malware Obtains C&C Address From Instagram Comments

Related: Turla Cyberspies Developing Mac OS X Malware

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.