The second spear-phishing attack detected on Thursday targets Chinese-speaking users and uses a malicious attachment called "Mandiant_APT2_Report.pdf."
According to an analysis of the PDF file by researcher Brandon Dixon of security consultancy firm 9b+, the document exploits an older Adobe Reader vulnerability that was discovered and patched in 2011.
The malware installed on the system establishes a connection to a domain that currently points to a server in China, Dixon said via email. "The malware provides attackers with the ability to execute commands on the victim's system."
The domain name contacted by this malware was also used in the past in attacks that targeted Tibetan activists, Seculert's Raff said. Those older attacks installed both Windows and Mac OS X malware, he said.
Greg Walton, a researcher from MalwareLab, a security outfit that tracks politically motivated malware attacks, said on Twitter that the Mandiant-themed spear-phishing attack targeted journalists in China. This information could not be confirmed by Raff or Dixon, who said that they don't have copies of the original spam emails, only of the malicious attachment they contained.