APT Groups Using G20 Summit as Lure in Targeted Attacks

A spate of known cyberespionage groups have been using the G20 Summit as a lure for new waves of attacks, and security researchers say one of the groups is likely the same one that was responsible for the attack on the New York Times earlier this year.

As political and financial leaders from around the world gear up for the upcoming G20 Summit, attackers have been making their plans, as well. A spate of known cyberespionage groups have been using the summit as a lure for new waves of attacks, and security researchers say one of the groups is likely the same one that was responsible for the attack on the New York Times earlier this year.

The group behind that operation is known as Calc Team and it’s a team that security researchers have been watching for several years as it goes after various targets. Now, the team has turned its focus to the powerful bankers, politicians and world leaders who are heading to Russia for the G20 Summit or are following the event from afar. The attacks are using social engineering and spear-phishing attacks with documents–many of them copies of legitimate ones associated with the summit–that are loaded with embedded PDFs containing malware with keyloggers and other capabilities. These attacks by Calc Team have been going on since at least May, researchers from Rapid7 say.

“Generally, I believe the majority of the targets all are somewhat involved in financial policy making/banking and so on,” Claudio Guarnieri, a security researcher at Rapid7 who did the research into Calc Team, said by email.

The attackers are using several different documents in the campaigns, but all of the malware is from the same family and all of the samples call out to the same IP address for command and control purposes. Each of the malware samples includes a Windows executable with a PDF embedded inside. When the user runs the executable file, it will display a PDF as a distraction for the installation of the malware in the background. The displayed document is one of several G20-themed documents. One of the attacks is using a document that is a copy of a real paper that describes the Russian administration’s preparations for the summit in St. Petersburg, while another is related to the Global Partnership for Financial Inclusion.

“Both are clearly Windows executable files that try to disguise as PDF documents. As commonly happen, no exploit has been used here and the attacker uniquely relied on social engineering the targets to open and execute the files contained in the archive,” Guarnieri wrote in a detailed analysis of the attacks.

“Upon execution, both these files extract an actual embedded PDF to the %Temp% folder and display them to the victim, in order to not raise suspicion.”

Guarnieri said that the samples of the malware that have been uploaded to VirusTotal thus far have come from all over the map, including Canada, France and Hungary. While the documents used as bait in the attacks vary, the malware dropped on infected machines is similar and is used to download more malware and log users’ keystrokes.

“Clearly, these samples are just an initial stage of a larger suite of malware, possibly including Aumlib and Ixeshe, which it will try to download from a fixed list of URLs embedded in the binary,” Guarnieri said. “While this download procedure is running on a separate thread, the malware continues into its main procedure by initiating its keylogging functionality. In order to intercept keystrokes, the malware constantly loops through an embedded list of keys and checks the state for each key withGetKeyState Windows API.”

The IP address of the C&C server used in these attacks resolves to a machine at UbiquityServers, a hosting company in Chicago. The IP address is hosting a long list of domains and VirusTotal data on the address,, shows that there are a number of malicious files being downloaded from the address. Some of the files are detected by a handful of AV companies, while others are undetected at this point.

Guarnieri said that there are other groups using G20-themed attacks, as well, and he’s in the process of analyzing them. He added that it’s somewhat odd that the Calc Team hasn’t curtailed its operations after being exposed publicly following the New York times attack.

“Assuming that the chain of attribution to Calc is correct, it’s interesting to observe that despite major international exposure after the New York Times incident, the intrusion group/s behind these attacks is still operational and doesn’t seem to have been affected by the sudden attention received by newspapers and researchers,” he said.

“Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it’s remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect.”

Image from Flickr photos of Arian Zwegers.

Suggested articles