Seculert recently uncovered two different spear-phishing attacks that were using a fake Mandiant report to target Japanese and Chinese journalists. The social engineering ploy played off of the celebrity of the real Mandiant report, which said that multiple attacks throughout recent years should be attributed to one group of attackers, unit 61398 in the Chinese military.
Now, the security firm has found that the bug has a time-bomb element: the malware is set to trigger only during a specific timeframe. Up till then, the malware will communicate with the legitimate Japanese websites, and only on Tuesdays between 8am and 7pm will it start communicating with the real C2 server. At this point the malware will download and execute a new piece of malware, basically setting the stage for a new phase of the targeted attack.
Seculert noted that the domain was suspended by the dynamic DNS service provider last Monday, a day before the time bomb was supposed to be triggered; therefore, the next phase of the attack did not commence. But the approach is an interesting one in the ongoing quest on the part of hackers to create malware that can evade detection.
Also, while the attack was originally thought to originate in Korea, it turns out that perpetrators in China may actually be behind it.
While the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory, Seculert noted. The domain – expires.ddn.dynssl.com – which was registered using a free dynamic DNS service, resolves to a server located in Korea (IP address 22.214.171.124). But that’s not all.
“Interestingly enough, without the expires, the ddn.dynssl.com domain resolves to the IP address 126.96.36.199, which is a server located in Jinan, the capital of the Shandong province of China,” Seculert noted in its blog. “A region which is presumably linked to the Google Aurora and the Shady RAT operations, which are also mentioned in the Mandiant report (though attributed to different APT groups). Oh, the irony.”