Adobe Reader PDF 0-days now used in Mandiant report spearphish

A fake PDF report exploiting recently patched Adobe Reader zero-day flaws is being used against Chinese journalists.

Hackers are using a fake PDF version of a fresh report into Chinese military espionage for a spearphishing campaign that appears to be aimed at Chinese journalists and Japanese-speakers with connections to the media.

US security firm Mandiant released its 60 page report on Tuesday, which focussed on a hacking crew it named APT1 or “Unit 61398” of the China’s People’s Liberation Army -- a prolific but careless group, the company’s CSO, Richard Bejtlich told on Thursday.

The report was released one day ahead of an expected White House document outlining the nation’s plan to respond to malware. The Mandiant report has generated worldwide interest for the detail it described several active hacking crews that are believed to be behind hundreds of attacks on Western nation organisations.

Security vendor Symantec today reported a fake and malicious Japanese language version of the PDF had been detected in targeted attacks, however Israeli security firm Seculert says there is a second campaign that appears to be targeting Chinese journalists.

“The email purports to be from someone in the media recommending the report,” Symantec notes.

“The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone in the media recommending the report,” said Symantec.

The PDF titled “Mandiant.pdf” is carrying exploit code designed to take advantage of one (CVE-2013-0641) of two zero day flaws that Adobe rushed a patch out for this week.

Symantec said it detected the malware as “Trojan.Pidief”, however it notes the exploit fails to drop any malware on the target.

Seculert confirmed the PDF attempts to exploit this vulnerability, adding that the Japanese language campaign connects to a control server hosted in Korea and is attempting to hide itself from detection by communicating with legitimate Japanese websites.

The attack on Chinese journalists appears to share similarities with infrastructure used in recent attacks targeting supporters of the Dalai Lama, according to Seculert.

“Our research lab also analyzed the malware in this attack. The malware communicates with a C2 server which is using the dynamic DNS domain This same domain name was used by a watering hole attack, targeting Dalai Lama activists back in December 2012. Back then there were two different malware variants communicating with the same C2 server. One variant was created for users using Windows operating system, while the other variant was created specifically for OSX victims."

"The two targeted attacks are most probably not originating from the same group, however, the timing of the attacks is very interesting, as both were delivered on the same day."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags adobeMandiant report

More about Adobe SystemsC2CSOSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts