The BISKVIT malware found targeting the Russian army exhibition

• The Russian exhibition called Army 2018 International Military and Technical Forum is being targeted by cybercriminals.
• BISKVIT is a module and multi-component malware that can update and delete itself.

An annual Russian military exhibition called the Army 2018 International Military and Technical Forum is being targeted by cybercriminals. The exhibition is one of the largest expo of its kind and will be featuring military weapons and equipment to the international community.

According to security experts at Fortinet, a campaign exploiting a Microsoft remote code execution flaw has been observed targeting the exhibition, which is slated to take place between August 21-26, 2018.

Why target a Russian military expo?

According to experts, the Army 2018 International Military and Technical Forum is open to the public. However, the organizers of the event have set up special “demonstrations behind closed doors”, which is meant for selected guests. These special demonstrations involve classified equipment, such as aerial missiles and vehicles, being displayed.

“We believe that this malicious document is being targeted to those selected guests who want to be, or are already included in these closed door invitations. This year’s event has already 66 official foreign delegations confirming their participation,” Fortinet security experts wrote in a blog.

BISKVIT malware

The Microsoft bug used in this campaign has previously been used by other APT groups. Fortinet researchers said that the flaw has previously been used to target UN agencies, foreign ministries, as well as people and organizations who interact with international governments.

Apart from the Microsoft flaw, the cybercriminals targeting the expo are also using a never-before-seen malware called BISKVIT. This is a modular and a multi-component malware, written in C# and is capable of downloading files, updating and deleting itself.

“The use of current and upcoming events as bait to target high profile targets is becoming more and more popular among attackers.

“Based on our findings, we believe that this is a well-planned attack, especially considering the timely distribution of the malicious decoy file and the use of a never-before-seen malware. These two ingredients provide the best chance for comprising their targets,” Fortinet researchers said.