People looking to download and read the Mandiant report on Chinese government attacks on U.S. infrastructure should look carefully at the name of the file before opening it. Researchers say that there are at least two different spear-phishing attacks going on right now that are using rigged copies of the China APT1 report as lures.
The first phishing attacks are using a file named “Mandiant_APT2_Report.pdf”, a slight variation of the real report name, which uses the APT1 moniker that the computer security firm applies to the specific crew of Chinese attackers discussed in the document. Once opened and executed on a new machine, the document will attempt to exploit an older Adobe Reader vulnerability. The payload used in the attack is an older one that security researchers have seen in previous attacks.
“Once executed on the system, a new process under the name “AdobeArm.tmp” was identified running and the original Mandiant APT1 report is shown. This payload was collected back on November 6th, 2012 and was completely unchanged showing a reuse in payloads even after several months,” researcher Brandon Dixon said in an analysis of the malware’s behavior.
“The newly spawned process waited several minutes before contacting itsec[.]eicp[.]net:443, a domain that was used in many previous attacks against human rights activists. It should also be noted that this domain showed up with malware on both Windows and Mac OS X systems. At the time of running, the command and control was resolving to 114[.]248[.]101[.]105.”
The malware used in this attack communicates with a command-and-control server based at a dynamic DNS provider, a favorite trick of attackers.
“The malware communicates with a C2 server which is using the dynamic DNS domain itsec.eicp.net. This same domain name was used by a watering hole attack, targeting Dalai Lama activists back in December 2012. Back then there were two different malware variants communicating with the same C2 server. One variant was created for users using Windows operating system, while the other variant was created specifically for OSX victims,” security firm Seculert said in an analysis.
The other spear-phishing attack is using a document named “Mandiant.pdf” as its bait, and the malware used in that attack calls back to a C&C server based in Korea, also at a dynamic DNS provider. This one, however, attempts to exploit a fresh vulnerability in Reader, one that Adobe just patched this week.
“When opening the attachment, only the first page of the report is displayed, and in the background the attachment is exploiting a vulnerability in Adobe Reader (CVE-2013-0641) to automatically install a malware, which downloads additional malicious components. This Adobe Reader vulnerability was patched by Adobe just yesterday,” Seculert said.
“Seculert’s research lab has analyzed the malware and identified that it communicates with a C2 server which is using the dynamic DNS domain name expires.ddn.dynssl.com. The C2 server itself is hosted in Korea. The malware is also communicating with several legitimate Japanese websites, probably in order to divert security products into thinking that this is a legitimate software.”