Phishing Attacks Traced to Chinese Servers

Security experts are warning of an ongoing spear phishing campaign aimed at defense contractors, universities and SCADA security companies like Digitalbond.

The attacks have been traced back to servers in China, and start with emails made to look like they came from employees or executives of the company being attacked. The messages have PDF attachments that install a Trojan called spoolsvr.exe if opened. The Trojan then calls to a command and control server located at a domain called happyforever.com and downloads more malware including an obscure executable called tanghi.exe that provides a hacker with remote access to the infected system. Tanghi.exe is particularly dangerous because it can’t be detected by most antivirus or anti-malware software yet.

It’s not clear exactly what info the attacks are designed to steal, but given they are targeted at security firms, defense contractors and universities such as Carnegie Mellon and Purdue, the possibilities are chilling – especially if it’s revealed that the Chinese government is behind them. They’ve been accused of cyberattacks in the past but have always vehemently denied any involvement.

Spear phishing attacks are on the rise as phishers realize that the traditional wide net attacks are no longer profitable. By carefully targeting and personalizing their attacks, they increase the chances of recipients falling for them. The payloads they are looking for seem to be moving from simple passwords and Paypal info, to government data and sensitive business documents. Phishing and cyber espionage seem to be going hand and hand these days.

Researchers say the attacks are similar to last year’s Shady Rat attacks and possibly being conducted by the same group.

Written by Sue Walsh

0 Comments

  1. David Dryden · June 15, 2012

    Absolutely chilling. Companies and institutions who may be targeted like this need to adopt a two-tiered form of communication when dealing with attachments and things of that nature, either employing a sort of “sniffer” who can test the attachment in a safe environment before moving it along or some form of pingback confirmation sent by the recipient of the first message before opening any attachments. Convoluted, sure, but it’s one way to prevent these kinds of attacks.

  2. Thelma Okonawa · June 17, 2012

    It is not difficult to believe this. Every country worth its salt in military and economic power has in its arsenal a plethora of cyber espionage tools. This is not to encourage conspiracy theorists. But, it would be plain naivety not to be open to those probabilities.

    I am not saying though that this is commissioned explicitly by the Chinese government. It is highly probably that an overzealous patriot is doing this.

    I believe it just happens that whoever is behind this was not careful enough to keep the attack hidden. It takes a lot of sophistication to snoop without being caught.

  3. Talina Rivera · June 29, 2012

    There’s a lot that most of us don’t know behind closed doors. I bet there are more sophisticated hacking attempts than what’s reported here. Given the ideological differences, economic dynamics and military showcasing among different countries and super-powers, it is just but expected that they try to create leverage by getting information. Information, after all, is still power.

    I would like to believe and rely on the fact that the US will never ever want to have anyone or any country have the upper hand in terms of security. And having this reported and publicized is just one way of saying to the others “we know what you’re doing.”

Leave A Reply