Phishing emails use fake Mandiant China spy report bait to target victims

Share this article:
Phishing emails use fake Mandiant China spy report bait to target victims
Phishing emails use fake Mandiant China spy report bait to target victims

Security researchers are warning users to be on the lookout for spear phishing emails that include a PDF attachment claiming to lead to a widely read report released this week by forensic firm Mandiant that chronicled the inner workings of a Chinese military cyber espionage unit.

Israel-based Seculert, which provides advanced threat detection technology, said in a blog post on Thursday that it is tracking two versions of the threat: one which is targeting Japanese organizations and the other directed, ironically, toward Chinese journalists.

The one going after Japanese firms (using the fake file name Mandiant.pdf) leverages a just-patched vulnerability in Adobe Reader to install malware that communicates with a few Japanese websites, as well as a command-and-control server in Korea. The other threat (dubbed Mandiant_APT2_Report.pdf) communicates with the same malicious domain name that was used in December in a "watering hole" campaign targeting Mac OS X users, specifically Tibetan activists, who visited a website affiliated with the Dalai Lama.

Alexandria, Va.-based incident response and forensic firm Mandiant on Monday night released the 60-page report, which offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.

Mandiant named the group it studied APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks.  According to the report, Mandiant tracked IP addresses, network communication and attack characteristics to trace the unit's central hub to a 12-story facility in Shanghai. The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.

Symantec, which also studied the phishing emails now making the rounds, said the example it looked at initiates the trojan Pidief, but doesn't actually install any malware on the victim computer.

"It is worth noting that there may potentially be other variants that are successful in dropping malware," researcher Joji Hamada wrote in a blog post. "Could the Comment Crew be playing a prank in response to the publication [of the Mandiant report], or did someone just make another careless mistake in performing the attack, as is the case for so many of these targeted attacks? The truth is we don't know."

It's not very often that an information security lure is used in targeted emails, but that speaks to how widely talked-about the Mandiant report has been this week.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

Accuvant taps Coca Cola CISO Guttmann as VP

Former Coca Cola CISO Renee Guttmann has joined Accuvant's Office of the CISO.

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.