Fake Mandiant`s Report on Chinese Spy Unit Used in Targeted Attack

In an attempt to make money on the back of a subject that made the headlines in the past days, crooks launched a spear phishing campaign by luring targets with the false promise of a Mandiant report.

The fake e-mails appear to be targeting some Japanese organizations and certain Chinese journalists by flaunting as an attachment a bogus copy of the Mandiant report on the Chinese spy unit launched this week.

Security firms Seculert reported in a blog post that they identified two campaigns where phishing e-mails carry in attachment two files – named Mandiant.pdf and Mandiant_APT2_Report.pdf – that appear to have different attackers behind them. It seems these separate attacks were launched in the same day by coincidence.

“When opening the “Mandiant.pdf” attachment (directed at Japanese targets), only the first page of the report is displayed, and in the background the attachment is exploiting a vulnerability in Adobe Reader (CVE-2013-0641) to automatically install a malware, which downloads additional malicious components,” reads the Seculert blog post.

The installed malware immediately contacts a C2 server hosted in Korea and communicates with some legitimate Japanese websites, probably to make security services think that software was legitimate.

“When opening the “Mandiant_APT2_Report.pdf” attachment (directed at Chinese journalists), Adobe Reader will ask for a password, while in the background the malware will exploit an older Adobe Reader vulnerability (CVE-2011-2462).”

The malware installed here communicates with a C2 server that uses the same dynamic DNS domain used in an attack against Dalai Lama Activists in December 2012 when both Windows and OSX users are vulnerable to this attack.