A cyberespionage hacking group tracked as ‘Bitter APT’ was recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders.
Bitter is a suspected South Asian hacking group known to target high-profile organizations in the energy, engineering, and government sectors in the Asian-Pacific region.
In May 2022, Bitter APT was spotted using spear phishing emails with malicious XLSX document attachments to load a trojan named ‘ZxxZ’ on targets in Southeast Asia.
In August 2022, Meta reported that Bitter APT was using a new Android spyware tool named ‘Dracarys’ against users in New Zealand, India, Pakistan, and the United Kingdom.
This hacking campaign was discovered by threat analysts at Intezer, who attribute it to Bitter APT based on the observed TTPs (tactics, techniques, and procedures) that match those of past campaigns by the same threat actor.
Targeting China’s nuclear field
In the new campaign found by Intezer, Bitter sends emails pretending to be from the Embassy of Kyrgyzstan in Beijing to various Chinese nuclear energy companies and academics related to that field.
The email pretends to be an invitation to a conference about nuclear energy supposedly held by the Kyrgyz Embassy, the International Atomic Energy Agency (IAEA), and the China Institute of International Studies (CIIS).
Phishing email body (Intezer)
The name that signs the email is genuine, belonging to an official of the Kyrgyzstan Ministry of Foreign Affairs, showing Bitter APT’s attention to details that help add legitimacy to their communications.
The recipients are urged to download the email’s RAR attachment which supposedly contains an invitation card for the conference but, in reality, has either a Microsoft Compiled HTML Help file (CHM) or a malicious Excel document.
In most cases, Bitter APT uses a CHM payload that executes commands to create scheduled tasks on the compromised system and download the next stage.
When an Excel document hides in the downloaded RAR attachments, the scheduled task is added by exploiting an older Equation Editor vulnerability triggered by the opening of the malicious document.
Scheduled task (Intezer)
Intezer comments that the threat actor likely prefers the CHM payloads because those do not require the target to use a vulnerable version of Microsoft Office, can bypass static analysis thanks to its LZX compression, and requires minimal user interaction to operate.
The second-stage payload is an MSI or a PowerShell file if a CHM payload is used or an EXE file in the case of the Excel document payload.
Malicious PowerShell in the CHM file (Intezer)
To evade detection and exposure, the second-stage payloads are empty. However, when the first-stage payloads send information about the breached device to the attacker’s command and control server, it will determine if it is a valuable target and deliver actual malware to the compromised system.
Empty MSI payloads (Intezer)
Intezer’s analysts could not retrieve any actual payloads delivered in this campaign but hypothesized that they might include keyloggers, RATs (remote access tools), and info-stealers.
Bitter APT’s complete infection chain (Intezer)
CHM files were once popular for software documentation and help files, but are not commonly used anymore, let alone in email communications.
Recipients of emails should exercise heightened vigilance when encountering CHM files within attached archives, as these files can potentially harbor malicious content.
Finally, archives themselves should also be treated with suspicion, as they can bypass anti-virus scans, and hence the likelihood of them being malicious is high.