G20 Summit Used as Bait to Deliver Backdoor.Darkmoon

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
 

image1_11.png

Figure 1. Email purporting to be from G20 Representative
 

The email purports to be sent on behalf of a G20 representative. The email continues:
 

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon.
 

The ‘building blocks’ mentioned are the theme of multiple documents, which discuss the UK government’s feedback on a series of building blocks to address development, anti-corruption, and employment.
 

image2_6.png

Figure 2. File listing for malicious attachment
 

Attached to the email is a RAR archive file. The archive contains five files. Of the five files, two of them masquerade as different file types. One of the documents is actually an executable, while the .msg file is a .lnk file, which we have seen used in attacks before. If the victim tries to run the .msg file, it will run both the malicious executable and one of the non-malicious documents. The five files contained in the archive, and their MD5s, are as follows:
 

File name

MD5

UKcomments.msg.lnk

7960F23DC79D75005C1C98D430FAC39B

UK_Building_block_TRADE.docx

53C60480254BCEB41660BD40AA12CECB

UK_Building_block_ANTICORRUPTION.doc

099A1C43677FD1286B380BCBF9BE90F4

UK - Building block_EMPLOYMENT - Aug.docx

05BC1C528E6CD49C9B311C25039FC700

UK - Building block_DEVELOPMENT - Aug.docx

C9F0DFAD687F5700325C4F8AEAEFC5F8

 

image3_6.png

Figure 3. Non-malicious document presented to the victim
 

The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail. At this time, we cannot verify the authenticity of these documents, but from our observation, modifications were made to them earlier this month, which states that they were last modified by a user named “UK Government.”
 

image4_2.png

Figure 4. Author information from the document
 

The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon.

Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which we reported on in 2011.

When executed, this version of Backdoor.Darkmoon will copy itself to %Windir% as winupdsvc.exe. It will then attempt to connect to the following URLs on ports 80, 8080, or 443:

  • [http://]www.verizon.itemdb.com
  • [http://]www.verizon.dynssl.com
  • [http://]www.verizon.proxydns.com

While this particular campaign leverages Darkmoon, we have found other campaigns from the same group using different threats. Last month, we found them using Java remote access tools (jRAT) that we identify as Backdoor.Jeetrat and Backdoor.Opsiness, also known as Frutas RAT.

Security Response is aware of other groups using the G20 Summit as a theme in targeted attacks, which showcases how this particular meeting is ripe for attackers to use as bait.