In an attempt to make money on the back of a subject that made the headlines in the past days, crooks launched a spear phishing campaign by luring targets with the false promise of a Mandiant report.
The fake e-mails appear to be targeting some Japanese organizations and certain Chinese journalists by flaunting as an attachment a bogus copy of the Mandiant report on the Chinese spy unit launched this week.
Security firms Seculert reported in a blog post that they identified two campaigns where phishing e-mails carry in attachment two files – named Mandiant.pdf and Mandiant_APT2_Report.pdf – that appear to have different attackers behind them. It seems these separate attacks were launched in the same day by coincidence.
â€œWhen opening the â€œMandiant.pdfâ€ attachment (directed at Japanese targets), only the first page of the report is displayed, and in the background the attachment is exploiting a vulnerability in Adobe Reader (CVE-2013-0641) to automatically install a malware, which downloads additional malicious components,â€ reads the Seculert blog post.
The installed malware immediately contacts a C2 server hosted in Korea and communicates with some legitimate Japanese websites, probably to make security services think that software was legitimate.
â€œWhen opening the â€œMandiant_APT2_Report.pdf” attachment (directed at Chinese journalists), Adobe Reader will ask for a password, while in the background the malware will exploit an older Adobe Reader vulnerability (CVE-2011-2462).â€
The malware installed here communicates with a C2 server that uses the same dynamic DNS domain used in an attack against Dalai Lama Activists in December 2012 when both Windows and OSX users are vulnerable to this attack.