Share

Related Stories

  • China claims US-based hackers constantly target its assets
    After a string of high-profile hacks on media sites and technology companies have had security researchers pointing the finger strongly in the direction of the Chinese military, Beijing has decided to turn the tables with a few accusations of its own.
  • Additional research also points the finger at China
    A new paper presented at the RSA Conference in San Francisco this week adds further evidence to the growing belief that China is the source of a large amount of APT cyber espionage against the West.
  • Security firm accuses Chinese military of involvement in worldwide hacking
    Mandiant, a security firm with a close relationship with both US and UK governments (one of the five companies in GCHQ’s new Cyber Incident Response scheme) has made the clearest statement yet: the Chinese military is behind the hacking team known as APT1 (aka ‘Comment Crew’).
  • Cyber-espionage hacktivist campaign targets China's Uyghur population
    A fresh cyber-espionage campaign against China’s Uyghur community has been uncovered that infects Mac OS X systems using spear-phishing mails. The politically motivated malware then sets about stealing information from hard drives.
  • You Dirty, Shady RAT
    The latest APT to come to light is what McAfee has dubbed ‘Shady RAT’. But the folks at Kaspersky have voiced some objections. Drew Amorosi examines the threat…and the controversy

Top 5 Stories

News

China leveled 'time-bomb' cyber attack on Japanese, researchers say

07 March 2013

A targeted cyber-attack being leveled at the Japanese has been found to contain a “time-bomb” element – and may have originated in China.

Seculert recently uncovered two different spear-phishing attacks that were using a fake Mandiant report to target Japanese and Chinese journalists. The social engineering ploy played off of the celebrity of the real Mandiant report, which said that multiple attacks throughout recent years should be attributed to one group of attackers, unit 61398 in the Chinese military. 

Now, the security firm has found that the bug has a time-bomb element: the malware is set to trigger only during a specific timeframe. Up till then, the malware will communicate with the legitimate Japanese websites, and only on Tuesdays between 8am and 7pm will it start communicating with the real C2 server. At this point the malware will download and execute a new piece of malware, basically setting the stage for a new phase of the targeted attack.

Seculert noted that the domain was suspended by the dynamic DNS service provider last Monday, a day before the time bomb was supposed to be triggered; therefore, the next phase of the attack did not commence. But the approach is an interesting one in the ongoing quest on the part of hackers to create malware that can evade detection.

Also, while the attack was originally thought to originate in Korea, it turns out that perpetrators in China may actually be behind it.

While the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory, Seculert noted. The domain – expires.ddn.dynssl.com – which was registered using a free dynamic DNS service, resolves to a server located in Korea (IP address 218.53.110.203). But that’s not all.

“Interestingly enough, without the expires, the ddn.dynssl.com domain resolves to the IP address 123.234.29.35, which is a server located in Jinan, the capital of the Shandong province of China,” Seculert noted in its blog. “A region which is presumably linked to the Google Aurora and the Shady RAT operations, which are also mentioned in the Mandiant report (though attributed to different APT groups). Oh, the irony.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×