G20 Summit Used as Bait to Deliver Backdoor.Darkmoon says Symantec!
Ahead of this week's G20 summit in Saint Petersburg, Russia, Symantec has just discovered that attackers are leveraging the meeting's visibility as a bait in targeted attacks. One particular campaign that Symantec has identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
The email (see image above) purports to be sent on behalf of a G20 representative. Attached to the email is a RAR archive file. The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail.
The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon. Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which Symantec reported on in 2011.
More information is available in this Symantec Security Response blog.
No comments: