Anyone in the malware/forensic/security industry has probably heard about the report released by Mandiant titled APT1: Exposing One of China’s Cyber Espionage Units. This paper (which is incredible by the way) outlines several years of research on APT1, including their attack methods, targets, and general goals. It was only a matter of time before Mandiant’s report was a target for a new attack.
Now, we are seeing spear phishing emails taking advantage of the widespread, highly intriguing news. What a better way to attack those who are interested in the topic, right? The emails identified appear to be someone (particularly from the media) recommending the report to the user, and even attaching the document for their convenience (file names such as Mandiant.pdf and Mandiant_APT1_Report.pdf). Unfortunately, the report attached is not the actual report (gotcha!) but is a malicious pdf. When a user opens this pdf, the malicious code embedded exploits the recent Adobe vulnerability (CVE-2013-0641) in order for malicious actors to execute remote code on a system. In the end, the PDF drops malware. The type of malware installed depends on the version of the malicious PDF, and is classified differently by each security vendor, but either way it’s not good.
Moral of the Story
1. Do not open email attachments titled Mandiant.pdf or Mandiant_APT1_Report.pdf, or any other variation
2. Do not trust email attachments, period. Always verify the attachment is legitimate, even from a trusted sender (emails can easily be spoofed, and the amount of phishing emails these days can lead to many compromised IDs)
3. Update your Adobe software ASAP. CVE-2013-0641 is now patched with their most recent update.
4. Always keep your Anti-Virus updated (even you Mac users!). I’ve been working with SUPERAntiSpyware lately, and it’s done a wonderful job at detecting most of these recent infections.
5. Always hover. If there’s a link within the email, hover your mouse over the link before clicking it. The email may show that the link goes to www.goodsite.com, but hovering your mouse may reveal that it actually leads to www.badsite.com.
6. If you want to read the real report from Mandiant, I have linked the report within my paragraph above. If you do download any reports, check the MD5 hashes that Mandiant provided for it:
References: Symantec’s Blog Post