The well-known notorious advanced persistent threat (APT) group Turla is currently targeting G20 attendees. Believed to of Russian origin, they are conducting a campaign against policy makers, politicians and media reporters ahead of the G20 task force meet. The conference is deemed to be held in Germany on 23-24 October 2017.
The cyber criminals are distributing a KopiLuwak backdoor Trojan over mails to the participants of the event. The phishing emails tagged as a ‘Save the Date’ pdf shoots as a staged post for advanced attacks.
The alleged file is not publicly available as of now. It is not fabricated but is likely legitimate. However, an invitation to a specific individual seems to be compromised here. That is how the hackers attempted to break through the post. Now it is being circulated as a dodgy malicious document.
A JS decryptor is then installed by the JS dropper into the affected system. It decodes the base64blob containing the decryptor. It is saved in C:\Users\[executing user]\AppData\Roaming\Microsoft\Protect\appidpolicyconverter.js.
This ultimately decrypts to execute in-memory KopiLuwak backdoor malware. Following this lead, a fingerprint of the infected system is procured by this spyware.
The event on Digital Economy is real and calls together the economists, diplomats and journalists. The high profile of these potentially targeted individuals might witness exfiltration of their data, if the presumed attack is carried out. Researchers claim that PCs running Windows are more vulnerable to the risk.
Turla has been branded as the world’s most complex cyber threat by Kaspersky Labs. It has been noted to employ watering hole attacks and direct spear-phishing towards its victims. It is worked out as a state-owned group, to which the Russian President disagrees.
The hacking tool used by the cyber punks conducts reconnaissance. But security experts have warned of the infected machine to execute arbitrary commands and exfiltrate confidential information with use of the advanced software technology.
Nevertheless, the emergency response team of Germany, CERT-bund have been informed about the probably hack.