Latest news
For instance, with the Mahdi campaign, we were able to find that the attackers were fluent in Farsi and even used a Persian calendar in the communication with the C2 (Command & Control) server.
Two weeks ago, Mandiant revealed that multiple attacks throughout the recent years are presumably attributed to one group of attackers, unit 61398 in the Chinese PLA. Two days later, we discovered two different spear-phishing attacks which were using a fake Mandiant report to target Japanese and Chinese journalists.
Today, we would like to add additional interesting information in regards to the targeted attack against the Japanese.
When we analyzed the malware that was used in this targeted attack, using Seculert Swamp, we found that while the malware was communicating with legitimate Japanese websites, it still had an additional C2 domain in memory. The domain - expires.ddn.dynssl.com - which was registered using a free dynamic DNS service, resolves to a server located in Korea (IP address 218.53.110.203).
Interestingly enough, without the "expires", the ddn.dynssl.com domain resolves to the IP address 123.234.29.35, which is a server located in Jinan, the capital of the Shandong province of China (See Figure 1). A region which is presumably linked to the "Google Aurora" and the "Shady RAT" operations, which are also mentioned in the Mandiant report (though attributed to different APT groups). Oh, the irony...
Further analysis of the malware revealed that, much like a time bomb, the malware is set to trigger only during a specific timeframe. Up till then, the malware will communicate with the legitimate Japanese websites, and only on Tuesday's between 8am and 7pm (See Figure 2) will it start communicating with the real C2 server. At this point the malware will download and execute a new piece of malware, basically setting up the stage for a new phase of the targeted attack.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
