APT attackers spoof email sent by malware researcher

Pro-Tibetan activists and organizations currently seem to be one of the most targeted groups when it comes to emails with malicious attachments, and the people behind the attacks are constantly devising new and different schemes aimed at infecting the targeted machines.

An interesting example of such a malicious email has recently been spotted by FireEye researcher Alex Lanstein, who is currently monitoring these spam campaigns.

Interested in analyzing these emails and sharing his findings with the public, Lanstein sent an email to a number of actively targeted individuals whose email addresses he had thanks to VirusTotal, asking them if they would be willing to be mentioned in a blog entry about these types of attacks.

But, one of the individuals on the BCC list to which he sent the email was already compromised, and the attackers lost little time in copying and pasting the text into a new email, spoofing Lanstein’s email address, attaching a malicious PDF file and sending the spoofed email to other potential victims (click on the screenshot to enlarge it):

According to Trend Micro researcher Ivan Macalintal, by exploiting a vulnerability, the attachment – Next Generation Threats.pdf – drops a malicious JavaScript that in its turn drops a RAT that connects to a IP address located in China.

It then sends user account names and passwords, a list of drives and files, and IM IDs and passwords to the server on that same address, but also opens a decoy PDF file containing a screenshot of FireEye’s official website in order mask the real nature of the attachment.

Once again, there are a few hints that the people behind the attack are Chinese. The email text was recreated under a key official character set of the People’s Republic of China, and in the footer of the decoy PDF file a few Chinese characters can be found.