Coming hot on the heels of previous reports, more info has been released regarding the recent emails sent to journalists in China containing malware. It seems whoever is sending the emails has been targeting Chinese employees of major media organizations, hooking the reader’s interest by detailing a possible trip to China to research China’s role in the global economy.
The email, more often than not from someone claiming to be an editor at Strait Times and using the address “Pam
The IP address currently being used is assigned to a Taiwan network, and the behavior of the malware is similar to that used in previous attacks from 2008. All contacts listed on the attachment appear to be accurate, begging the question of how the attacker got a hold of this contact information to begin with. An inside job, perhaps?
The email we got after the jump:
There have been recent reports of malware attacks on journalists based in China. The attacks specifically targeted Chinese employees working for media organizations, including Reuters, the Straits Times, Dow Jones, Agence France Presse, and Ansa.
These employees received an email from “Pam
” who claimed to be an editor with the Straits Times, that came with a PDF attachment that contains malware. When opened, malicious code in the PDF exploits the Adobe Reader program and drops the malware on the target’s computer.
These attacks correlate with reports of increased security measures within China as a result of the 60th anniversary of the founding of the People’s Republic of China. These increased security measures have also been extended to the Internet, with providers of anti-censorship technology reporting increased levels of blocking that prevents people from accessing the web sites of foreign media and news organizations.
This short briefing from the Malware Lab and the Information Warfare Monitor analyzes a sample from one of the attacks on behalf of an international news agency that operates in China, and a member of the Foreign Correspondents Club in Beijing.4
* The content of the email, and the accompanying malicious attachment, are in well written English and contain accurate information. The email details a reporter’s proposed trip to China to write a story on China’s place in the global economy; all the contacts in the malicious attachment are real people that are knowledgeable about or have a professional interest in China’s economy.
* The domain names used as “command & control” servers for the malware have been used in previous targeted attacks dating back to 2007. The malware domain names, as in previously documented cases, only resolve to real IP addresses for short periods of time.
* The malware exploits vulnerabilities in the Adobe PDF Reader, and its behaviour matches that of malware used in previous attacks dating back to 2008. This malware was found on computers at the Offices of Tibet in London, and has used political themes in malware attachments in the past.
* The IP addresses currently used by the malware are assigned to Taiwan. One of the servers is located at the National Central University of Taiwan, and is a server to which students and faculty connect to download anti-virus software. The second is an IP address assigned to the Taiwan Academic Network. These compromised servers present a severe security problem as the attackers may have substituted their malware for anti-virus software used by students, employees, and faculty at the National Central University.
With increased censorship due to the approach of the PRC’s 60th anniversary, the additional threat of malware only makes the prospect of reporting news more difficult. It sho’ is hard out here for a journalist.