The report, APT1: Exposing One of China's Cyber Espionage Units, published by Mandiant earlier this week has drawn worldwide attention by both the security world and the general public. This interest is due to the conclusion the report has drawn regarding the origin of targeted attacks, using advanced persistent threats (APT), performed by a certain group of attackers dubbed the Comment Crew. You can read Symantec’s response to the report here.
Today, Symantec has discovered someone performing targeted attacks is using the report as bait in an attempt to infect those who might be interested in reading it. The email we have come across is in Japanese, but this does not mean there are no emails in other languages spreading in the wild. The email purports to be from someone in the media recommending the report. As you can see in Figure 1, the attachment is made to appear like the actual report with the use of a PDF file and the name of the company as the file name. However, like in many targeted attacks, the email is sent from a free email account and the content of the email uses subpar language. It is obvious to a typical Japanese person reading the email that it was not written by a native speaker.
When the fake report, which Symantec detects as Trojan.Pidief, is opened, a blank PDF is shown but in the background exploit code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641) is executed. The PDF file may drop Trojan.Swaylib and Trojan.Dropper, which drops Downloader, if the vulnerbility is successfully exploited. Could the Comment Crew be playing a prank in response to the publication? The truth is we don’t know.
Figure 1. Malicious email purporting to contain the report
Similar tactics have been used in the past, one of which actually involved Symantec. Back in 2011, when we released a whitepaper on another group performing targeted attacks, the attackers took the opportunity to use the publication to infect those interested in reading the paper. They did this by spamming targets with the actual whitepaper along with malware hidden in an archive attachment.
If you want to read the actual Mandiant report, or any other for that matter, we advise you to download it directly from the company’s website. The Mandiant download page also provides the hash of the file so that viewers can confirm its authenticity. It is also a good idea to check the hash if you are unsure where you acquired the file from.
Update - February, 2013
Initially, this blog stated that the PDF file didn't drop any additional malware. However, after further analysis, it has been found to drop malware in some environments. The blog has been updated to reflect this finding.
We have also confirmed that there are multiple variants of the malicious fake report.