Researchers have uncovered a regional variant of a recently-discovered Chinese APT which could have been used for secondary attacks in Japan.
According to a report from Seculert, the malware instructed infected computers to only communicate with command and control (C&C) servers at specific times. Outside of this small time window, the infected machines were set to communicate with legitimate websites.
This appears to be an attempt to mask the location of the true C&C servers, Securlert noted.
The server, which has since been suspended, would have presumably sent instructions or a new malware payload to infected systems. Unlike previous "time bomb" worries, such as the 2009 Conficker worm, this attack could have been a visible and significant operation had it been triggered.
Aviv Raff, chief technology officer for Seculert, told V3 that the targeted nature of the APT meant that the malware's creators likely had a major event in mind when they set the event up.
"The are no similarities between Conficker and this, as Conficker was more of an opportunistic attack which didn't target any specific entities. While this is a targeted attack, which targeted a specific region and people," he explained.
"This means that most probably the next phase would be an information stealing malware, and right after that a malware that will cover the tracks of the attack - like Shamoon."
The APT, first discovered by researchers with Mandiant, is believed to have infected select individuals at more than 140 companies worldwide. While researchers have traced the attacks to military operations in China, state officials have denied any wrongdoing or involvement in the operation.