A few days ago Mandiant released a report describing multi-year targeted attacks against entities from different countries around the world. They connected all the attacks to one group – APT1 – which, according to the report, originates from China and part of the Chinese PLA (People’s Liberation Army).
Today, two different spear-phishing attacks were reported using an email with an attachment claiming to be the same mandiant report.
The first attack, seems to be targeting Japanese entities. The attachment file name is “Mandiant.pdf”.
When opening the attachment, only the first page of the report is displayed (See Figure 1), and in the background the attachment is exploiting a vulnerability in Adobe Reader (CVE-2013-0641) to automatically install a malware, which downloads additional malicious components (See Figure 2). This Adobe Reader vulnerability was patched by Adobe just yesterday.
Seculert’s research lab has analyzed the malware and identified that it communicates with a C2 server which is using the dynamic DNS domain name expires.ddn.dynssl.com. The C2 server itself is hosted in Korea. The malware is also communicating with several legitimate Japanese websites, probably in order to divert security products into thinking that this is a legitimate software (See Figure 2).
When opening the attachment, Adobe Reader will ask for a password, while in the background the malware will exploit an older Adobe Reader vulnerability (CVE-2011-2462).
Our research lab also analyzed the malware in this attack. The malware communicates with a C2 server which is using the dynamic DNS domain itsec.eicp.net. This same domain name was used by a watering hole attack, targeting Dalai Lama activists back in December 2012. Back then there were two different malware variants communicating with the same C2 server. One variant was created for users using Windows operating system, while the other variant was created specifically for OSX victims.Further analysis can be found on Brandon Dixon blog post.
The two targeted attacks are most probably not originating from the same group, however, the timing of the attacks is very interesting, as both were delivered on the same day.