Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cyber-Attackers Use G20 Summit as Lure for Attacks

Cyber-attackers have stepped up efforts to use the G-20 Summit as bait to snare users.

Cyber-attackers have stepped up efforts to use the G-20 Summit as bait to snare users.

In a spate of campaigns targeting victims in both the financial sector, government and elsewhere, multiple groups have been at work trying to lure victims into downloading malicious files disguised as documents about the conference, which started today in St. Petersburg, Russia.

In one email with the subject line: ‘Revised Building Blocks (Round 2)’, victims receive an RAR archive file with five files in it. Of the five files, two of them masquerade as different file types, explained Symantec security researcher Satnam Narang.

“One of the documents is actually an executable, while the .msg file is a .lnk file, which we have seen used in attacks before,” the researcher blogged. “If the victim tries to run the .msg file, it will run both the malicious executable and one of the non-malicious documents.”

The malicious executable that runs in the background is the notorious Poison Ivy remote access tool.

A similar attack was reported Wednesday by Trend Micro, which warned about an email with the subject ‘Pre-Summit Meeting of G20.’ Like the attack detected by Symantec, the email comes with a RAR attachment; this time however, it only contains three files – one LNK file and two other binary files.

“The LNK file is not a simple shortcut file; it contains custom commands that recontrust the two separated binary files into one file and execute it (detected as BKDR_SISPROC.A),” explained Lenart Bermejo, senior threats response engineer at Trend Micro, in a blog post. “As a backdoor, BKDR_SISPROC.A communicates to its remote servers to execute malicious commands onto the infected system. More importantly, this backdoor also downloads plugins, which will then execute varous data-stealing behaviors such as screen capture and keylogging.”

“Overall, the techniques exhibited by this attack do not constitute a new threat,” the researcher continued. “However, as we have predicted and confirmed this year, malicious actors are focused on refining how they distribute threats and evade detections. The splitting of a binary file into two files is a clear sign of the ongoing attempts to keep attacks under the radar.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.