Mandiant APT1 malware spreading around infecting thousands of computers

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/ on line 1409


Symantec and few others reported about the multiple versions of APT – 1 infecting thousands of computers worldwide. The hackers are using multiple versions of Apt 1 tricking the users download the pdf.

As per Mandiant blog report.

As we noted yesterday, Brandon Dixon’s 9B+ blog and Symantec reported the discovery of two malicious versions of our APT1 report.  We wanted to provide follow-on details based on our analysis of these samples.  Additionally, we have attached Indicators of Compromise (IOCs) so folks can begin using them to detect the malware.

PDF1 – “Mandiant_APT2_Report” Lure

MD5: 14A6E24977FF6E7E8A8661AADFA1A1F3

This is a password protected PDF using the password “hello” and exploits the CVE-2011-2462 vulnerability from back in December of 2011. Once opened it drops %TEMP%\AdobeArm.tmp (4D9A1144E08E7FAE7D6DB8BC606F5BE5) and %TEMP%\Mandiant_APT2_Report.pdf (29E9494E2EBA1D8F8AD9EE308FFE53EF). The newly dropped report is opened and the AdobeArm.tmp binary is executed.

– See more at:

Screenshot from Symantec




Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>