Researchers have uncovered intriguing clues hinting that the recent fake Mandiant report has a China connection.
As SecurityWeek reported last week, the malicious PDF file masquerading as Mandiant’s APT1 report was being used as part of a spear phishing campaign targeting Japanese and Chinese journalists. Researchers at Seculert found the malware was communicating with a hidden command and control server located in the Shandong province of China, Aviv Raff, CTO of Seculert, told SecurityWeek.
Seculert found that Japanese-variant of the malware communicated with legitimate Japanese websites as well as a different server located in Korea with a free hostname from a dynamic DNS service. The domain associated with the DNS hostname turned out to belong to a server in Jinan, the capital of Shandong in China, Seculert said on its company blog Tuesday. The region has been linked to the Aurora attacks against Google a few years ago, as well as the ShadyRAT operation which affected a larger number of organizations across various industries.
“We found that while the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory,” the company said on its blog Tuesday.
Even more intriguing, the malware was configured to communicate with the Chinese server only on Tuesdays between 8am and 7pm and receive new instructions to execute or new malware to download, Raff said. At other times, the malware would ping only legitimate Japanese Websites, making it harder for researchers to understand what the malware was trying to do, Raff said.
The ISP suspended the dynamic DNS account on Feb. 25, a day before the malware was scheduled to execute, Raff said. Seculert did not have any information about what the malware would have downloaded from the C&C server, or what instructions it would have received had it successfully contacted the server on Tuesday, Raff said.
Attackers were sending out booby-trapped PDF files masquerading as the APT1 report from Mandiant. The filename had a slightly different name—Mandiant_APT2_Report.pdf instead of APT1—and was password protected, according to Anup Ghosh, CEO of Invincea, whose team analyzed one of the malware samples.
When the file is accessed, the malware opens a decoy PDF displaying the first four pages of the real report, Ghosh said. “So not only do you get infected by opening the document, but you only get four pages of the seventy-six page report- bum deal!” Ghosh wrote.
The malware sample used an older PDF exploit, which had previously been observed in attacks against human rights activists, Seculert said . Adobe has already released a patch for the Reader and Acrobat flaw.