Seculert Claims: Connection between APT1-Themed Spear Phishing Campaign in Japan and China
On the recently released post-Mandiant's APT1 report, researchers at Seculert discovered a connection between spear phishing campaigns that are targeting Japanese and Chinese journalists and the domains that are connected to the Aurora attacks on Google and the Shady RAT (Remote Access Tool) campaign.
On evaluation, Seculert researchers observed that the malicious element is designed like a "time bomb". It has been programmer to trigger only during a particular time period.
Generally, the malware is set up to interact with the genuine Japanese websites, but on Tuesdays, between 8 AM and 7 PM, it interacts with an extra command and control (C&C) Domain, expires.ddn.dynssl.com.
The malware utilizes this short time interval and downloads extra malevolent component, thus preparing the stage for an innovative phase of attack.
The domain, expires[.]ddn[.]dynssl[.]com resolves to a server in Korea, but Seculert claims that without "expires" in the domain name, ddn.dnyssl.com, it as an alternative determines to the server in Shandong, China, which is connected to the two high-profile attacks. This exhibits an attempt to masquerade the location of the actual C&C servers, noted Seculert.
Presently, the researchers are unknown to the fact why attackers chose particularly this time frame. However, the long time span can suggest that the attackers might be aiming more than just the Japanese," Aviv Raff the CTO of Seculert said, as published by darkreading.com on March 6, 2013.
According to the experts, the Chinese have targeted journalists, dissidents, and policy makers for some time, not only chasing intelligence and intellectual property, but to some extent in order to comprehend and control the perception of the government.
The team of researchers conducted some industry analysis of these attacks upon the media and according to them, the sole reason behind this attacks are as Chinese are desperate to read other's mind. In the words of Mandiant CSO Richard Bejtlich on January 31, 2013, which is the day during which, the New York Times disclosed the attack being led by the Chinese, reports threatpost on its website on March 6, 2013. The attackers are interested to find out about the organizations that are against them. They also want to access the Gmail of those rebels. They attack the think tanks as they want to know what policy they are recommending.
Related article: Seculert Finds Fresh Malware Combining Zeus And SpyEye
» SPAMfighter News - 14-03-2013