European governments were subject to malware-dropping spam as a group of Russian hackers sought to exploit interest in the G20 Summit, according to the security vendor Symantec.
The group, named Scarab by the company, aim to spread variants of the trojan Scieron by exploiting older flaws left unpatched on certain computers, the eventual aim being to install a backdoor to enact more malicious activity.
Though they had previously targeted academics, Scarab focused on specific targets from European governments and international economic groups during 2013, often with spam emails that ostensibly related to the summit, which was being held in St. Petersburg, Russia that year.
Gavin O’Gorman, principal intelligence analyst at Symantec, wrote on the firm’s blog: "In each campaign, the attackers typically target a small amount of individuals-rather than enterprises or governments – using economic, military, topical, or generic lures."
"On average, less than ten unique computers are infected per month and there is no indication that the attackers are trying to spread through the victim’s local network, suggesting that Scarab’s campaigns are extremely targeted in nature."
He added that the command and control (C&C) servers that issue instructions to viruses would make use of dynamic domain name systems (DNS), which help hackers avoid being detected by continuously moving the IP address which connects to the server.
Data collected by Symantec showed that the primary targets of Scarab were located in Russia, with a subsequent spam campaign in 2014 having spoofed news articles from the country to hide its true intentions.
"While the group uses older exploits, their campaigns seem to have had some success, judging on how they have continued to operate similar campaigns over the years," O’Gorman said.
