Rapid7 researchers have analyzed three different attacks

Aug 27, 2013 13:55 GMT  ·  By

A few days ago we learned that the Chinese hacker group that attacked The New York Times and several other high-profile organizations was back in action, working on improving the pieces of malware they utilize in their operations.

Now, researchers from Rapid7 claim to have identified some of the recent attacks launched by the cybercriminal collective known as the Calc Team or APT-12.

Experts have analyzed three attack scenarios. In each of the cases, the malware was delivered within a zip archive attached to an email apparently related to the upcoming G-20 Summit.

In addition, all the pieces of malware belong to the same family and behave the same way, and they all contact domains pointing to the same host.

The malicious files are named something like “G20 Discussion Paper.exe,” “GPFI Work Plan 2013.exe,” “G20 Summit Improving global confidence and support the globa.EXE” and “The list of NGOs representatives accredited at the Press Center of The G20 Leaders' Summit 2013.pdf.exe.”

They’re made to look like they’re harmless documents. In fact, when they’re launched, a decoy document is opened to avoid raising any suspicion.

However, in reality, the executable files unleash a piece of malware that can log keystrokes and download and execute additional malicious elements.

The executable files analyzed by Rapid7 have been uploaded earlier this year to VirusTotal by users from Canada, France, and Hungary.

“Assuming that the chain of attribution to Calc is correct, it's interesting to observe that despite major international exposure after the New York Times incident, the intrusion group/s behind these attacks is still operational and doesn't seem to have been affected by the sudden attention received by newspapers and researchers,” Rapid 7’s Claudio Guarnieri noted.

“Unfortunately we have no visibility into the result of the attacks and whether the operators managed to be successful, but it's remarkable that despite the high profile of the average target of these espionage operations, the tactics and tools adopted are not as sophisticated as one would expect.”