February 21, 2013

Phishing emails use fake Mandiant China spy report bait to target victims

Phishing emails use fake Mandiant China spy report bait to target victims
Phishing emails use fake Mandiant China spy report bait to target victims

Security researchers are warning users to be on the lookout for spear phishing emails that include a PDF attachment claiming to lead to a widely read report released this week by forensic firm Mandiant that chronicled the inner workings of a Chinese military cyber espionage unit.

Israel-based Seculert, which provides advanced threat detection technology, said in a blog post on Thursday that it is tracking two versions of the threat: one which is targeting Japanese organizations and the other directed, ironically, toward Chinese journalists.

The one going after Japanese firms (using the fake file name Mandiant.pdf) leverages a just-patched vulnerability in Adobe Reader to install malware that communicates with a few Japanese websites, as well as a command-and-control server in Korea. The other threat (dubbed Mandiant_APT2_Report.pdf) communicates with the same malicious domain name that was used in December in a "watering hole" campaign targeting Mac OS X users, specifically Tibetan activists, who visited a website affiliated with the Dalai Lama.

Alexandria, Va.-based incident response and forensic firm Mandiant on Monday night released the 60-page report, which offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.

Mandiant named the group it studied APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks.  According to the report, Mandiant tracked IP addresses, network communication and attack characteristics to trace the unit's central hub to a 12-story facility in Shanghai. The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.

Symantec, which also studied the phishing emails now making the rounds, said the example it looked at initiates the trojan Pidief, but doesn't actually install any malware on the victim computer.

"It is worth noting that there may potentially be other variants that are successful in dropping malware," researcher Joji Hamada wrote in a blog post. "Could the Comment Crew be playing a prank in response to the publication [of the Mandiant report], or did someone just make another careless mistake in performing the attack, as is the case for so many of these targeted attacks? The truth is we don't know."

It's not very often that an information security lure is used in targeted emails, but that speaks to how widely talked-about the Mandiant report has been this week.

Related Articles
Related Topics
Related Links
close

Next Article in News

Sign up to our newsletters

More in News

Oracle releases Java update to close 37 high-risk vulnerabilities

Updates for the software platform will now arrive on a quarterly basis, beginning in October.

Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

To exploit the vulnerability, an intruder would need a user's device password and a bit of skill to access troves of data on the phone.

Tor to blame for its users being unable to access Facebook

Malicious activity on the anonymity software's network tripped Facebook's "site integrity systems."