Phishing mail uses fake Mandiant spy report

By on
Phishing mail uses fake Mandiant spy report

Japanese organisations targeted.

Security researchers are warning users to be on the lookout for spear phishing emails that include a PDF attachment claiming to lead to a widely read report released by forensic firm Mandiant.

Israel-based Seculert said it was tracking two versions of the threat: one targeting Japanese organisations and the other directed toward Chinese journalists.

The one going after Japanese firms (using the fake file name Mandiant.pdf) leverages a just-patched vulnerability in Adobe Reader to install malware that communicates with a few Japanese websites, as well as a command-and-control server in Korea.

The other threat (dubbed Mandiant_APT2_Report.pdf) communicates with the same malicious domain name that was used in December in a "watering hole" campaign targeting Mac OS X users, specifically Tibetan activists, who visited a website affiliated with the Dalai Lama.

Alexandria, Va.-based incident response and forensic firm Mandiant on Monday night released the 60-page report, which offers a fascinating close-up of the nuts and bolts of secret Chinese military unit 61398, believed to be behind the theft of hundreds of terabytes of information from 141 organizations primarily in the United States.

Mandiant named the group it studied APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks. 

According to the report, Mandiant tracked IP addresses, network communication and attack characteristics to trace the unit's central hub to a 12-story facility in Shanghai.

The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.

Symantec, which also studied the phishing emails now making the rounds, said the example it looked at initiates the trojan Pidief, but doesn't actually install any malware on the victim computer.

"It is worth noting that there may potentially be other variants that are successful in dropping malware," researcher Joji Hamada wrote in a blog post.

"Could the Comment Crew be playing a prank in response to the publication [of the Mandiant report], or did someone just make another careless mistake in performing the attack, as is the case for so many of these targeted attacks? The truth is we don't know."

It's not very often that an information security lure is used in targeted emails, but that speaks to how widely talked-about the Mandiant report has been this week.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?