Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Uncover More Details on Attacks Using Fake Mandiant Report

Researchers have uncovered intriguing clues hinting that the recent fake Mandiant report has a China connection.

Researchers have uncovered intriguing clues hinting that the recent fake Mandiant report has a China connection.

As SecurityWeek reported last week, the malicious PDF file masquerading as Mandiant’s APT1 report was being used as part of a spear phishing campaign targeting Japanese and Chinese journalists. Researchers at Seculert found the malware was communicating with a hidden command and control server located in the Shandong province of China, Aviv Raff, CTO of Seculert, told SecurityWeek.

Seculert found that Japanese-variant of the malware communicated with legitimate Japanese websites as well as a different server located in Korea with a free hostname from a dynamic DNS service. The domain associated with the DNS hostname turned out to belong to a server in Jinan, the capital of Shandong in China, Seculert said on its company blog Tuesday. The region has been linked to the Aurora attacks against Google a few years ago, as well as the ShadyRAT operation which affected a larger number of organizations across various industries.

“We found that while the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory,” the company said on its blog Tuesday.

Even more intriguing, the malware was configured to communicate with the Chinese server only on Tuesdays between 8am and 7pm and receive new instructions to execute or new malware to download, Raff said. At other times, the malware would ping only legitimate Japanese Websites, making it harder for researchers to understand what the malware was trying to do, Raff said.

The ISP suspended the dynamic DNS account on Feb. 25, a day before the malware was scheduled to execute, Raff said. Seculert did not have any information about what the malware would have downloaded from the C&C server, or what instructions it would have received had it successfully contacted the server on Tuesday, Raff said.

Attackers were sending out booby-trapped PDF files masquerading as the APT1 report from Mandiant. The filename had a slightly different name—Mandiant_APT2_Report.pdf instead of APT1—and was password protected, according to Anup Ghosh, CEO of Invincea, whose team analyzed one of the malware samples. 

When the file is accessed, the malware opens a decoy PDF displaying the first four pages of the real report, Ghosh said. “So not only do you get infected by opening the document, but you only get four pages of the seventy-six page report- bum deal!” Ghosh wrote.

The malware sample used an older PDF exploit, which had previously been observed in attacks against human rights activists, Seculert said . Adobe has already released a patch for the Reader and Acrobat flaw.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.