Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Fake Mandiant APT Report Used as Malware Lure InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake Mandiant APT Report Used as Malware Lure

Published: 2013-02-21
Last Updated: 2013-07-13 01:53:11 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

On the heels of Mandiant's report APT1: Exposing One of China's Cyber Espionage Units, attackers are circulating malicious versions of the PDF document. It's a clever social engineering scheme that can be used for the types of attacks that Mandiant's report described.

Symantec discovered "targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. " The fake report was distributed as an email attachment named Mandiant.pdf according to Symantec and targeted the CVE-2013-0641 vulnerability in Adobe Reader and Acrobat.

Brandon Dixon came across another malicious PDF file that seemed to follow a similar meme and was named "Mandiant_APT2_Report.pdf". According to Brandon, the malicious PDF file was distributed in a password-protected PDF file. The file infected the system with malware and displayed to the victim the original Mandiant APT1 report.

These incidents illustrate how quickly and cleverly the attackers can devise social engineering schemes to target victims in specific organizations, sectors or professions. The audience of Mandiant's original report is likely of interest to the types of attackers that the report profiled.

 

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog.

Keywords:
0 comment(s)
Diary Archives