Our monitoring of Operation Pawn Storm has led us to an interesting finding: the domain we previously reported hosting the Java 0-day used in the latest Pawn Storm campaign was modified to now lead to a Trend Micro IP address. Our investigations have shown that our systems have not been attacked or compromised. The attackers have simply redirected a DNS record to point to a Trend Micro IP address, likely in retaliation to our disclosure and the subsequent patching of the Orace Java zero-day vulnerability they were exploiting.
Figure 1. Changes in the Pawn Storm infection chain
The DNS A record of the domain ausameetings[.]com now points to 126.96.36.199, an IP address of Trend Micro. While it was serving the zero-day exploit, the IP address of ausameetings[.]com was 95[.]215[.]45[.]189.
Figure 2. DNS A record of ausameetings[.]com
We are not sure when the domain was pointed to Trend Micro, but based from DNS record naming convention, it is most likely modified to point to Trend Micro yesterday, July 14.
We do not have clear evidence that point to the cause behind these developments, but we see the following possible motives:
- To serve as a form of retaliation by the Pawn Storm operators against Trend Micro for disclosing details about their most recent campaign
- To mislead network administrators into associating our IP address to the attack, possibly causing admins to mistakenly block it
- To deceive security researchers into thinking that the Trend Micro IP address is compromised or being misused by Operation Pawn Storm
It bears stressing that we found no traces of compromise or misuse. We will continue to monitor this and update this post as soon as there are relevant developments.
Operation Pawn Storm is a campaign known to specifically target government organizations. One of its most recent campaigns targeted NATO members as well as the White House.