Spear Phishing… With the Mandiant APT1 Report

Hackers (almost certainly the Chinese ones behind Aurora/ShadyRAT) took the Mandiant APT1 report, created a fake version, and used it as bait in a spear phishing campaign. If you recall, that’s the Mandiant report on a Chinese government hacking group…

This isn’t particularly earth-shaking in security terms — another spear phishing campaign — but it is amusing in its ironic audacity.


“Researchers at Seculert have discovered a link between spear phishing campaigns targeting Japanese and Chinese journalists, post-Mandiant’s APT1 report, and domains connected to the Aurora attacks on Google and the Shady RAT campaign.

In particular, in the attacks against the Japanese, the malware was communicating with a hidden command and control server located in the Shandong province of China.

“We found that while the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory,” the company said on its blog yesterday.

The domain, expires[.]ddn[.]dynssl[.]com resolves to a server in Korea, but Seculert said that without “expires” in the domain name, it instead resolves to the server in Shandong, which is linked to the two high-profile attacks.

“The whole host belongs to the same account, so the same people controlled both (domains),” CTO Aviv Raff told Threatpost.

The spear phishing campaigns were discovered days after an expose by Mandiant of Chinese attacks on U.S. infrastructure. The messages used in the attacks included malicious PDF files named Mandiant_APT2_Report, a variation on the report’s real name. APT1 is the name given to the group behind a number of attacks on U.S. interests. The PDF exploits an old vulnerability in Adobe Reader and was used in a number attacks against human rights activists as well by the Chinese, researcher Brandon Dixon said.

Seculert also discovered and reported yesterday that the malware triggers only during specific timeframes, in this case, on Tuesdays between 8 a.m. and 7 p.m. when it was scheduled to contact the command and control servers and download and execute new malware.

Raff, however, told Threatpost that the provider suspended the dynamic DNS account on Monday, Feb. 25, 24 hours before the attack was supposed to start again.

“The provider was aware of this domain probably after we mentioned the domain on our previous blog post,” Raff said, adding that Seculert had no additional insight into the second stage of the attack, nor as to what malware was supposed to be downloaded on Tuesday.

The Chinese have targeted journalists, dissidents and policy makers for some time, not only chasing intelligence and intellectual property, but to in an attempt to understand and control perception of the government, experts said.

“Our team did some industry analysis of these attacks on the media and they think the reason it’s happening is because the Chinese are desperate to know what others think of them first,” Mandiant CSO Richard Bejtlich said on Jan. 31, the day the New York Times disclosed it was attacked by the Chinese. “They want to know what news organizations are saying about them. They want access to Gmail accounts of those support dissidents. They attack the think tanks because they want to know what the think tanks are recommending for policy.””

%d bloggers like this: