Adobe Reader PDF 0-days now used in Mandiant report spearphish
- — 22 February, 2013 09:13
Hackers are using a fake PDF version of a fresh report into Chinese military espionage for a spearphishing campaign that appears to be aimed at Chinese journalists and Japanese-speakers with connections to the media.
US security firm Mandiant released its 60 page report on Tuesday, which focussed on a hacking crew it named APT1 or “Unit 61398” of the China’s People’s Liberation Army -- a prolific but careless group, the company’s CSO, Richard Bejtlich told Forbes.com on Thursday.
The report was released one day ahead of an expected White House document outlining the nation’s plan to respond to malware. The Mandiant report has generated worldwide interest for the detail it described several active hacking crews that are believed to be behind hundreds of attacks on Western nation organisations.
Security vendor Symantec today reported a fake and malicious Japanese language version of the PDF had been detected in targeted attacks, however Israeli security firm Seculert says there is a second campaign that appears to be targeting Chinese journalists.
“The email purports to be from someone in the media recommending the report,” Symantec notes.
“The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone in the media recommending the report,” said Symantec.
The PDF titled “Mandiant.pdf” is carrying exploit code designed to take advantage of one (CVE-2013-0641) of two zero day flaws that Adobe rushed a patch out for this week.
Symantec said it detected the malware as “Trojan.Pidief”, however it notes the exploit fails to drop any malware on the target.
Seculert confirmed the PDF attempts to exploit this vulnerability, adding that the Japanese language campaign connects to a control server hosted in Korea and is attempting to hide itself from detection by communicating with legitimate Japanese websites.
The attack on Chinese journalists appears to share similarities with infrastructure used in recent attacks targeting supporters of the Dalai Lama, according to Seculert.
“Our research lab also analyzed the malware in this attack. The malware communicates with a C2 server which is using the dynamic DNS domain itsec.eicp.net. This same domain name was used by a watering hole attack, targeting Dalai Lama activists back in December 2012. Back then there were two different malware variants communicating with the same C2 server. One variant was created for users using Windows operating system, while the other variant was created specifically for OSX victims."
"The two targeted attacks are most probably not originating from the same group, however, the timing of the attacks is very interesting, as both were delivered on the same day."