Fake Mandiant’s Report on Chinese Spy Unit Used in Targeted Attack
In an attempt to make money on the back of a subject that made the headlines in the past days, crooks launched a spear phishing campaign by luring targets with the false promise of a Mandiant report.
The fake e-mails appear to be targeting some Japanese organizations and certain Chinese journalists by flaunting as an attachment a bogus copy of the Mandiant report on the Chinese spy unit launched this week.
Security firms Seculert reported in a blog post that they identified two campaigns where phishing e-mails carry in attachment two files – named Mandiant.pdf and Mandiant_APT2_Report.pdf – that appear to have different attackers behind them. It seems these separate attacks were launched in the same day by coincidence.
“When opening the “Mandiant.pdf” attachment (directed at Japanese targets), only the first page of the report is displayed, and in the background the attachment is exploiting a vulnerability in Adobe Reader (CVE-2013-0641) to automatically install a malware, which downloads additional malicious components,” reads the Seculert blog post.
The installed malware immediately contacts a C2 server hosted in Korea and communicates with some legitimate Japanese websites, probably to make security services think that software was legitimate.
“When opening the “Mandiant_APT2_Report.pdf” attachment (directed at Chinese journalists), Adobe Reader will ask for a password, while in the background the malware will exploit an older Adobe Reader vulnerability (CVE-2011-2462).”
The malware installed here communicates with a C2 server that uses the same dynamic DNS domain used in an attack against Dalai Lama Activists in December 2012 when both Windows and OSX users are vulnerable to this attack.