People looking to download and read the Mandiant report on Chinese government attacks on U.S. infrastructure should look carefully at the name of the file before opening it. Researchers say that there are at least two different spear-phishing attacks going on right now that are using rigged copies of the China APT1 report as lures.
The first phishing attacks are using a file named "Mandiant_APT2_Report.pdf", a slight variation of the real report name, which uses the APT1 moniker that the computer security firm applies to the specific crew of Chinese attackers discussed in the document. Once opened and executed on a new machine, the document will attempt to exploit an older Adobe Reader vulnerability. The payload used in the attack is an older one that security researchers have seen in previous attacks.
"Once executed on the system, a new process under the name "AdobeArm.tmp" was identified running and the original Mandiant APT1 report is shown. This payload was collected back on November 6th, 2012 and was completely unchanged showing a reuse in payloads even after several months," researcher Brandon Dixon said in an analysis of the malware's behavior.
