Top 5 Stories


China leveled 'time-bomb' cyber attack on Japanese, researchers say

07 March 2013

A targeted cyber-attack being leveled at the Japanese has been found to contain a “time-bomb” element – and may have originated in China.

Seculert recently uncovered two different spear-phishing attacks that were using a fake Mandiant report to target Japanese and Chinese journalists. The social engineering ploy played off of the celebrity of the real Mandiant report, which said that multiple attacks throughout recent years should be attributed to one group of attackers, unit 61398 in the Chinese military. 

Now, the security firm has found that the bug has a time-bomb element: the malware is set to trigger only during a specific timeframe. Up till then, the malware will communicate with the legitimate Japanese websites, and only on Tuesdays between 8am and 7pm will it start communicating with the real C2 server. At this point the malware will download and execute a new piece of malware, basically setting the stage for a new phase of the targeted attack.

Seculert noted that the domain was suspended by the dynamic DNS service provider last Monday, a day before the time bomb was supposed to be triggered; therefore, the next phase of the attack did not commence. But the approach is an interesting one in the ongoing quest on the part of hackers to create malware that can evade detection.

Also, while the attack was originally thought to originate in Korea, it turns out that perpetrators in China may actually be behind it.

While the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory, Seculert noted. The domain – – which was registered using a free dynamic DNS service, resolves to a server located in Korea (IP address But that’s not all.

“Interestingly enough, without the expires, the domain resolves to the IP address, which is a server located in Jinan, the capital of the Shandong province of China,” Seculert noted in its blog. “A region which is presumably linked to the Google Aurora and the Shady RAT operations, which are also mentioned in the Mandiant report (though attributed to different APT groups). Oh, the irony.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×