Update: report links now go straight to the paper versus the general Whitepaper page.
ThreatLabZ has just released a report that provides a summary of incident information related to the "1.php" Group. Historically, this Group used command and control servers (C&Cs) with "/1.php?" for the checkin URL path - which is the reason for the informal name used. They have repeatedly targeted one of our customers - so I worked to compile some research on this group. There is evidence to show that the group has been operating at least since 2008 and that they tend to target China/US relations experts, Defense entities, and Geospatial entities using spear phishing with a malicious PDF attachment or a link to a ZIP that decompresses a malicious SCR. The payload is often a PoisonIvy remote access tool/trojan (RAT) or something similar. They have varied their C&C checkin behavior, but it is usually over the web - sometimes it is HTTPS, sometimes it is HTTP with different checkin parameters/paths. The Group either registers their own domains or uses No-IP dynamic DNS domains for their C&Cs.
