New Backdoor from Attack Group

Monday, August 21, 2017 @ 05:08 PM gHale

Turla, the cyber espionage group linked to Russia, is using a new malware dropper in attacks, researchers said.

The dropper’s target is anybody having anything to do with the G20 summit, said researchers at Proofpoint.

Backdoor Hidden in Software
Attackers Using New Backdoor
Malware at Bargain Price of $7
Backdoor Uses Legit Video App

G20 is an international forum for governments and central banks. The G20 Summit was held last month in Hamburg, Germany, other events will occur in Hamburg like the Task Force “Digital Economy” meeting in late October.

A document announcing the Digital Economy meeting ended up used by Turla as a decoy to deliver a new .NET/MSIL dropper, which drops a JavaScript backdoor called KopiLuwak, said Proofpoint researchers in a blog post.

“The backdoor has been analyzed previously [11] and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool,” researchers said.

The decoy document appears to come from Germany’s Federal Ministry for Economic Affairs and Energy, and researchers believe the file is likely legitimate. The document does not appear to be publicly available, which indicates it may have been obtained by the attackers from an entity that received the file, researchers said.

The document metadata shares similarities to a legitimate PDF file hosted on the website of the Federal Ministry for Economic Affairs and Energy, including the author’s name (BE.D4.113.1) and the device it was created with (KONICA MINOLTA bizhub C284e).

The new dropper delivered alongside this document ends up stored in a file named Scr.js, which creates a scheduled task for persistence and executes various commands to obtain information about the infected device. The dropper looks for the presence of Kaspersky security products before dropping the KopiLuwak backdoor.

The dropper code is not obfuscated and it does not include any anti-analysis mechanisms, the researchers said.

Turla has been active since 2007 and is responsible for several high-profile attacks.

Leave a Reply

You must be logged in to post a comment.