G-20 themed emails deliver spying malware to EU, Canadian officials
The topic of the G-20 summit that is scheduled to be held in Russia next month is being misused by multiple cyber espionage groups some of which have been tracked to China, warn Rapid 7 researchers.
As the date of the start of the summit approaches, the number of G-20 themed attacks has been slowly increasing, and the targets are mostly people inside government and financial institutions.
One of these groups – dubbed Calc Team or APT-12 – has been tied to the recent New York Times hack, but it has been attacking government agencies, financial institutions and defense contractors for several years now.
Their modus operandi consists of sending a (in this case G-20 themed) email that contains malware delivered within a Zip archive, and the malware contacts different domains resolving to the same IP address. The attackers are not relying on an exploit for the malware to be run, but are counting on the victims being intrigued enough to open the file themselves.
Once they do that, two decoy legitimate PDF files are opened to placate any suspicion the victims might have.
In the background, an initial dropper tries to download and execute additional malware and starts to log the victims’ keystrokes.
Judging by the countries from which random users uploaded the suspected malware to VirusTotal and the subjects of the spear-phishing emails, the group is currently targeting Canadian, EU and Hungarian officials.
“Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it’s remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect,” the researchers note.
“As also pointed out by FireEye, the creators of the malware seem to be actively changing things around in order to avoid detection by network defense layers, which combined with the lack of exploitation involved, it leaves a large responsibility on the targeted user to be able to recognize the social engineering attempt and isolate the attack.”