Security researchers are warning users to be on the lookout for spear phishing emails that include a PDF attachment claiming to lead to a widely read report released this week by forensic firm Mandiant that chronicled the inner workings of a Chinese military cyber espionage unit.
Israel-based Seculert, which provides advanced threat detection technology, said in a blog post on Thursday that it is tracking two versions of the threat: one which is targeting Japanese organizations and the other directed, ironically, toward Chinese journalists.
The one going after Japanese firms (using the fake file name Mandiant.pdf) leverages a just-patched vulnerability in Adobe Reader to install malware that communicates with a few Japanese websites, as well as a command-and-control server in Korea. The other threat (dubbed Mandiant_APT2_Report.pdf) communicates with the same malicious domain name that was used in December in a “watering hole” campaign targeting Mac OS X users, specifically Tibetan activists, who visited a website affiliated with the Dalai Lama.
Alexandria, Va.-based incident response and forensic firm Mandiant on Monday night released the 60-page report, which offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.
Mandiant named the group it studied APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks. According to the report, Mandiant tracked IP addresses, network communication and attack characteristics to trace the unit’s central hub to a 12-story facility in Shanghai. The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.
Symantec, which also studied the phishing emails now making the rounds, said the example it looked at initiates the trojan Pidief, but doesn’t actually install any malware on the victim computer.
“It is worth noting that there may potentially be other variants that are successful in dropping malware,” researcher Joji Hamada wrote in a blog post. “Could the Comment Crew be playing a prank in response to the publication [of the Mandiant report], or did someone just make another careless mistake in performing the attack, as is the case for so many of these targeted attacks? The truth is we don’t know.”
It’s not very often that an information security lure is used in targeted emails, but that speaks to how widely talked-about the Mandiant report has been this week.