Prior to the G20 summit held on Sept. 5 to 6 in Saint Petersburg, Russia, security firm Symantec discovered that attackers leveraged the meeting’s visibility as a bait in targeted attacks.
One particular campaign that Symantec identified was a malware that targete multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.
The e-mail purported to be sent on behalf of a G20 representative. Attached to the email is a RAR archive file. The victim will be shown a non-malicious document.
“What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail,” Symantec noted.
The malicious executable that run in the background was known as Poison Ivy. Symantec detected this executable as Backdoor.Darkmoon.
Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which Symantec reported on in 2011.