Rewterz Threat Alert – Bitter APT Group Continues To Target Bangladesh

Rewterz Threat Alert – Remcos RAT – Active IOCs

July 8, 2022

Rewterz Threat Advisory – Multiple Apache Druid Vulnerabilities

July 8, 2022

Rewterz Threat Alert – Bitter APT Group Continues To Target Bangladesh – Active IOCs

Severity

High

Analysis Summary

APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, Government in South Asia. Spear phishing emails have been the main strike force to target their victims and they’ve been doing it for years now. Many BITTER victims have been exploited through relatively popular Microsoft Office exploit, in order to download and execute a RAT binary from a website. Although the attack vector of this sample remains unknown of yet, this is an indication of their presence again in the South Asian region. As part of an ongoing effort that began in August 2021, this threat actor group known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government agencies.
With a spear-phishing email, this campaign targets an elite unit of Bangladesh’s government. Emails may contain a malicious RTF document or a Microsoft Excel spreadsheet that is used to exploit known vulnerabilities. The Equation Editor application is automatically launched once the victim opens the maldoc to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 in Microsoft Office, and then downloads and runs the trojan from the hosting server on the victim’s machine. The trojan runs itself in this campaign, but the actor has more RATs and downloaders in their arsenal.
Researchers analyzed a recent attack carried out by this APT group. The campaign specifically targets Bangladeshi (military) groups. Threat actors use Remote Access Trojans to perform espionage using malicious document files and intermediary malware stages. Bitter uses malicious document files with “Equation Editor exploits” as baits to download further malware stages. The Loader in the second step collects information about the infected system. The third stage of a Bitter attack can include several sorts of Malware, such as keyloggers, stealers, or remote access Trojans (Almond RAT was also utilized)

Impact

Information Theft and Espionage

Indicators of Compromise

Domain Name

m[.]huandocimama[.]com
diyefosterfeeds[.]com
emshedulersvc[.]com

IP

91[.]195[.]240[.]103
194[.]36[.]191[.]196
162[.]0[.]232[.]109
64[.]44[.]131[.]109

MD5

1bf615946ad9ea7b5a282a8529641bf6
a1d9e1dccfbba118d52f95ec6cc7c943
6e4b4eb701f3410ebfb5925db32b25dc
71e1cfb5e5a515cea2c3537b78325abf
d58e6f93bd1eb81eacc965d530709246

SHA-256

bc03923e3cc2895893571068fd20dd0bc626764d06a009b91dac27982e40a085
0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450
91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42
55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691

SHA-1

358867f105b517624806c3315c5426803f7c42a7
8efa4d5574a0c80733e9824ec146521385a68424
c330ef43bbee001296c6c120cf68e4c90d078d9c
bcc9e35c28430264575831e851182eca7219116f
a47aec515f303ae7f427d98fc69fe828fa9c6ec6

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.