A cyberespionage hacking group known as “Bitter APT” has been detected targeting Chinese nuclear energy organizations with phishing emails in an attempt to install malware downloaders in their environment. Bitter APT is a suspected South Asian hacking group that has made themselves known by targeting high-profile organizations in the energy, engineering, and government sectors in the APAC region. This campaign in specific was discovered by researchers at Intezer. Previous campaigns from this group include a phishing campaign in May 2022, as well as an Android spyware campaign in August 2022.
In this new campaign, Bitter APT sent emails posing as a member of the Kyrgyzstan Embassy in Beijing to various Chinese nuclear energy companies and academics in the related field, inviting them to a conference on nuclear energy. The email contains an attached RAR file that poses as the invitation, but actually contains either a malicious CHM file or Excel document. In most cases, the group opts for the CHM file attachment, which goes on to execute commands to create scheduled tasks and download the next stage of the attack. The second-stage payload is either an MSI, PowerShell, or EXE file. To evade detection, the second-stage payloads are empty, relying on the first-stage payload to send information back to the C2 server before any actual malware is delivered. While no specific payloads were able to be found by the researchers at Intezer, they hypothesize that it likely includes keyloggers, RATs, and info-stealers.
While largely targeting organizations in the APAC region, this company has also been seen targeting organization in Europe, indicating that they may pivot to compromise organizations worldwide in the future. As the initial compromise in this campaign stems from phishing, the best prevention is to provide adequate user education into the latest phishing campaigns. However, this is not adequate as all it takes is one phishing attachment to slip through the cracks and get executed to compromise an organization. For this campaign, monitoring emails for RAR attachments would be a good avenue of preventing compromise from occurring. Additionally, monitoring for suspicious child processes spawning from Excel or from CHM files are also other avenues of detecting this campaign. In the end, it is recommended to implement a defense-in-depth strategy to ensure that all future variations of this campaign may also be caught.