Apr 14 2008
This morning Symantec reported that Japanese companies are being targeted with a phishing/spam campaign using spoofed emails that appear to be from the Japanese government. The emails contain two attachments, one of which is an executable backdoor/keylogger. There are two variants, one recieves C&C from cyhk.3322.org and the other from hi222.3322.org. The 3322.org domain is used for dynamic DNS (DNS bouncer) and was also used in the recently reported attack on a US Defense Contractor and also some others.
Update (April 16) from Takeda Humi Kei’s Japanese security blog about the attacks.