Annual G20 summit is attractive target for Flea attack group

Attackers attempt to steal information from targeted officials through spear-phishing emails.

G20 summit 1 edit.jpg

Each year, as world leaders come together to discuss a variety of global economic issues at the G20 summit, organizations with a vested interest in the event are the recipients of malicious emails from threat actors.

This year, the summit will be held in Brisbane, Australia on November 15 and 16 and a specific attack group, which we call Flea, has been circulating malicious emails throughout 2014 in anticipation of the event. Targets include an international economic organization as well as a group connected to multiple monetary authorities. Once the attackers have compromised their target’s computers, they identify and steal valuable information from them.

Who is the Flea attack group?
The Flea attackers have been active since at least 2010 when they sent a decoy document to target those interested in the G20 Summit held in Seoul, South Korea that year. They have typically targeted European governments, global military organizations, and financial institutions. Flea uses one particular attack tool, detected as Infostealer.Hoardy, which can open a back door, run shell commands, and upload and download files on the compromised computer.

The attackers’ primary motivation is to steal information from targeted officials. They typically send spear-phishing emails with malicious attachments to compromise their intended victims’ computers. The content of these messages usually centers on an international event or theme that is of interest to their targets, such as nuclear issues, the Olympics, and major political conferences. They may also disguise these emails as job applications and send them to HR departments of targeted firms. Once the malware infects their target’s computers, the threat gives the attackers the ability to carry out reconnaissance on the compromised computers and identify and exfiltrate valuable information.  

The Flea attack group carries out new attacks every four to eight months, suggesting that the group only wishes to steal information over a short amount of time. Flea’s attack tools also indicate that the group is not interested in laterally moving across compromised networks to reach other targets.

G20 summit 2.png
Figure 1. Flea attacks since 2010

Current G20 summit campaign
The Flea group has been circulating two G20-themed emails in the run-up to this weekend’s summit. The subject of one of these emails posits, “What exactly is the point of the G20 in Australia?” The email includes a malicious Word document that attempts to exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) on vulnerable computers.

Another email relates to a G20 document that is of interest to financial institutions. Following each meeting between finance ministers and central bank governors, a communiqué is released which includes G20 policy discussions and commitments. The Flea attackers know about these documents and have been circulating emails with the subject “Communiqué Meeting of G20 Finance Ministers and Central Bank” along with a malicious Word document similar to the one previously discussed.

In each of these examples, the malicious Word documents have been used to deploy Infostealer.Hoardy. A non-malicious Word document is also opened up on the compromised computer to ensure that the recipient doesn’t suspect that anything is amiss.

G20 Summit 3.png
Figure 2. Non-malicious Word document

The attackers have sent these emails to multiple targets, including an international economic organization and a group connected to multiple monetary authorities. These targets have an interest in what is discussed at the G20 summit and some may have delegations attending the event. It gives the attackers a major opportunity to steal valuable data from their targets by enticing them with G20-themed communications.

Future G20-themed attacks
The Flea attack group isn’t the only threat to worry about during G20 summits. Threat actors have always found the G20 summit an opportune time to target individuals within governments and financial and economic development organizations. Prior to last year’s summit in Saint Petersburg, Russia, we observed a campaign using the Poison Ivy remote access Trojan (RAT) to target multiple groups. These targeted organizations should expect more of the same during future G20 summits. Different threat actors will no doubt continue to use organizations’ interests in the G20 summit to target them again in the coming years.

Protection
Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. Symantec detects the malware used in these latest G20-themed attacks as Infostealer.Hoardy.

Indicators of compromise
MD5s:

  • 026936afbbbdd9034f0a24b4032bd2f8
  • 069aeba691efe44bfdc0377cd58b16ae
  • 072af79bb2705b27ac2e8d61a25af04b
  • 09b5f55ce2c73883c1f168ec34d70eb9
  • 153b035161c8f50e343f143d0f9d327f
  • 277487587ae9c11d7f4bd5336275a906
  • 2a3da83f4037ad82790b2a6f86e28aa2
  • 2df1fd8d73c39dbdbb0e0cdc6dbd70de
  • 34252b84bb92e533ab3be2a075ab69ac
  • 4c46abe77c752f21a59ee03da0ad5011
  • 4c86634100493f0200bbdaf75efa0ebe
  • 56dd30a460cdd3cf0c5356558550e160
  • 5cc39185b302cc446c503d34ce85bab7
  • 5ee64f9e44cddaa7ed11d752a149484d
  • 5ee81c755aa668fc12a9cbcbab51912f
  • 5ff0cb0184c2bcfbda32354f68ca043c
  • 62af361228a14b310042e69d6bab512c
  • 649691e1d367721f0ff899fd31133915
  • 6af82418fa391ea1c5b9a568cb6486b1
  • 6cb633b371700d1bd6fde49ab38ca471
  • 703c9218e52275ad36147f45258d540d
  • 727ef86947f5e109435298e077296a42
  • 745355bbb33c63ebc87d0c021eebbf67
  • 777aab06646701c2c454db5c06982646
  • 7fd4dcc3ae97a5cd2d229b63f1daa4b6
  • 82b1712156c5af50e634914501c24fb1
  • 89495d7f2f79848693f593ea8385c5cd
  • 8aebcd65ac4a8c10f0f676a62241ca70
  • 8c7cf7baaf20fe9bec63eb8928afdb41
  • 8c8d6518910bc100e159b587a7eb7f8d
  • 98f58f61f4510be9c531feb5f000172f
  • a8d6302b5711699a3229811bdad204ca
  • aa0126970bab1fa5ef150ca9ef9d9e2e
  • abe4a942cb26cd87a35480751c0e50ae
  • b391d47b37841741a1817221b946854a
  • b68a16cef982e6451ddf26568c60833d
  • b9c47a5ccd90fda2f935fc844d73c086
  • be58180f4f7ee6a643ab1469a40ffbca
  • c2c1bc15e7d172f9cd386548da917bed
  • c50116a3360eec4721fec95fe01cf30e
  • c718d03d7e48a588e54cc0942854cb9e
  • d03d53f3b555fe1345df9da63aca0aaf
  • da9f870ef404c0f6d3b7069f51a3de70
  • e0abc2e1297b60d2ef92c8c3a0e66f14
  • e4d8bb0b93f5da317d150f039964d734
  • e75527a20bb75aa9d12a4d1df19b91fa
  • e8c26a8de33465b184d9a214b32c0af8
  • ecc1167a5f45d72c899303f9bbe44bbc
  • feec98688fe3f575e9ee2bd64c33d646
  • 14e79a4db9666e0070fe745551a2a73e
  • 2fc6827c453a95f64862638782ffeb9d
  • 4f2cc578e92cdf21f776cbc3466bad10
  • b2c51b84a0ebb5b8fc13e9ff23175596
  • cc92b45a6568845de77426382edf7eb0
  • 05f854faef3a47b0b3d220adee5ccb45
  • db8e651a2842c9d40bd98b18ea9c4836
  • 15302b87fe0e4471a7694b3bc4ec9192
  • 9ee87ad0842acf7fc0413f2889c1703e
  • 836ea5f415678a07fd6770966c208120
  • ea12d6f883db4415d6430504b1876dc6
  • 88e869f7b628670e16ce2d313aa24d64

Command-and-control servers:

  • g20news.ns01[.]us
  • news.studenttrail[.]com
  • skyline.ns1[.]name
  • www.trap.dsmtp[.]com
  • ftp.backofficepower[.]com
  • news.freewww[.]info
  • blackberry.dsmtp[.]com
  • adele.zyns[.]com
  • windowsupdate.serveuser[.]com
  • officescan.securitynh[.]com
  • cascais.epac[.]to
  • www.errorreporting.sendsmtp[.]com
  • www.sumba.freetcp[.]com
  • google.winfy[.]info
  • cname.yahoo.sendsmtp[.]com
  • mail.yahoo.sendsmtp[.]com
  • update.msntoole[.]com
  • expo2010.zyns[.]com
  • win7.sixth[.]biz
  • ensun.dyndns[.]org
  • www.spaces.ddns[.]us
  • blog.strancorproduct[.]info
  • belgiquede[.]com
  • brazil.queretara[.]net
  • facebook.proxydns[.]com
  • windows.serveusers[.]com