Seculert experts have analyzed the attacks which leveraged Mandiant's report

Mar 6, 2013 12:05 GMT  ·  By
Piece of malware used against Japanese journalists only triggered on certain days (click to see full)
   Piece of malware used against Japanese journalists only triggered on certain days (click to see full)

Shortly after Mandiant released its report on the Chinese APT1 campaign, experts noticed that cybercriminals were sending out malicious emails that leveraged the news.

Seculert experts identified spear-phishing attacks against Chinese and Japanese journalists, in which fake Mandiant reports were used.

After analyzing the malware used in the attacks against Japanese journalists, Seculert researchers have noticed that the malicious element is designed like a “time bomb.” It has been programmed to trigger only during a specific timeframe.

Most of the time, the malware is set up to communicate with legitimate Japanese websites, but on Tuesdays, between 8AM and 7PM, it communicates with an additional command and control (C&C) domain, expires.ddn.dynssl.com.

In this relatively short time interval, the malware downloads additional malicious components, setting the stage for a new phase of the attack.

It’s worth noting that the IP of expires.ddn.dynssl.com resolves to a server located in Korea, but ddn.dnyssl.com resolves to one located in China, particularly to a region linked to other cybercriminal campaigns.

In this case, the C&C domain was suspended before the “bomb” was triggered.