KopiLuwak Backdoor Refreshed For G20 Cyberattack

Security researchers Proofpoint have issued an alert over a new malware dropper that seems to be aimed at diplomats and bureaucrats associated with the G20.

The researchers said that the Turla group, widely believed to be a Russian state-sponsored organisation, has refreshed the KopiLuwak JavaScript backdoor to target those associated with the G20.

This group has been targeting government officials and diplomats for years through watering hole campaigns – compromising websites that are likely to be visited by targets of interest – and in June this year it started using social media site Instagram as a means of staying hidden once they had infected a target network.

G20 Target

But now according to Proofpoint, Turla is using a new .NET/MSIL dropper for an existing backdoor called JS/KopiLuwak. A dropper is a programme designed to install a piece of malware.

“The backdoor has been analysed previously and is a robust tool associated with this group, likely being used as an early stage reconnaissance tool,” the researchers warn.

“In this case, the dropper is being delivered with a benign and possibly stolen decoy document inviting recipients to a G20 task force meeting on the ‘Digital Economy’. The Digital Economy event is actually scheduled for October of this year in Hamburg, Germany.”

“The dropper first appeared in mid-July, suggesting that this APT activity is potentially ongoing, with Turla actively targeting G20 participants and/or those with interest in the G20, including member nations, journalists, and policymakers,.”

Proofpoint did admit that the delivery of KopiLuwak in this instance is currently unknown as the MSIL dropper has only been observed by its researchers on a public malware repository.

But as it has been observed in the wild, it is reasonable to assume it has been delivered via Turla’s usual attack methods such as spear phishing or via a watering hole.

“Based on the theme of the decoy PDF, it is very possible that the intended targets are individuals or organisations that are on or have an interest in G20’s Digital Economy Task Force,” the researchers said. “This could include diplomats, experts in the areas of interest related to the Digital Economy Task Force, or possibly even journalists.”

Data Risk

It is thought that PCs running Windows are at risk from this threat.

“The JavaScript dropper profiles the victim’s system, establishes persistence, and installs the KopiLuwak backdoor,” the researchers continue.

“KopiLuwak is a robust tool capable of exfiltrating data, downloading additional payloads, and executing arbitrary commands provided by the actor(s).”

Proofpoint said that it has notified CERT-Bund of this activity, and that it will  continue to track the activities associated both with this actor and these new tools.

Quiz: Think you know all about security in 2017?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

13 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

13 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

15 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago