Background of the group
The 蔓灵花 group, also known as Bitter and tracking number APT-Q-37, is widely believed to have a South Asian background and has long been targeting China, Pakistan, and other countries, with targeted attacks on units in the government, electric power, and military industries, with the intent of stealing sensitive information.
Overview of the incident
Qi'anxin Threat Intelligence Center has recently discovered some attack samples related to the Bitter group, which use different methods to ultimately implant a C# backdoor that can send arbitrary EXE files from a remote server.
(1) Mode 1: Use VBA macros carried by xlam files to release C# code files, and complete compilation and installation with the help of csc.exe and InstallUtil.exe of the .NET framework on the victim's machine.
(2) Mode 2: Use WinRAR path traversal vulnerability to try to replace the Normal.dotm file in the template library of the victim's user directory, so as to realize that when the victim opens the docx file, it triggers the execution of the malicious Normal.dotm macros in the template library, and the macros obtain the backdoor program hosted on the remote server and run it.
Detailed Analysis
The relevant sample information is as follows:
| - | - | - |
|---|---|---|
| MD5 | File name | Description |
| b165b489c5f8c4e136364664502d68f1 | Nominated Officials for the Conference.xlam | Contains malicious macros |
| 18164f7b3d320a79b6db634f718a1095 | vlcplayer.dll | Released backdoor program compiled from C# source code |
| f6f2fdc38cd61d8d9e8cd35244585967 | Provision of Information for Sectoral for AJK.rar | Malicious RAR archive with exploit |
| 4bedd8e2b66cc7d64b293493ef5b8942 | Normal.dotm | RAR archive containing malicious macros |
| f16f2e4317c37085cad630d41001f7c3 | winnsc.exe | Backdoor program |
Attack Chain 1
The file Nominated Officials for the Conference.xlam opens with a prompt to enable macros, and after the macros are enabled, a message box pops up, meaning "File parsing failed, content corrupted". This is just a way for the attacker to confuse the victim.
In the macro code carried by the xlam file, the base64 decodes a copy of the backdoor source code data written in C# and saved as "C:\\programdata\\cayote.log". NET framework's csc.exe to compile it into "C:\\Programdata\\USOShared\\vlcplayer.dll" and install it with InstallUtil.exe.
The periperi function in the macro code is used to implement persistence by writing the kefe.bat file in the Starup directory, which creates a scheduled task that makes a request to "hxxps://www.keeferbeautytrends.com/d6Z2.php?rz=".
Attack Chain 2
The attacker also exploited a path traversal vulnerability in WinRAR to plant a C# backdoor. Initially, we thought that the attackers were exploiting CVE-2025-8088 [1], which was disclosed in August and affects WinRAR software versions lower than 7.13. However, testing revealed that the malicious RAR was unable to achieve path traversal on WinRAR version 7.12, but was able to do so on WinRAR version 7.11, so the attacker is actually exploiting an earlier WinRAR vulnerability .
The malicious RAR contains two files, Document.docx and Normal.dotm with two parent directories in its path. Normal.dotm is in the alternate data stream (ADS) of Document.docx, which itself is only 5 bytes in size.
According to the path of Normal.dotm in the zip archive, the malicious RAR tries to overwrite the Normal.dotm file of the current user's original template library ("C:\\ Users\\<user name>\\ AppData\\ Roaming\\ Microsoft\\Templates\\Normal. dotm") after unzipping. dotm"). This requires the victim to decompress the file in a directory such as "C:\\Users\\<Username>\\XXX" in order to achieve the overwrite, whereas if the victim is used to decompressing the file in a directory such as the downloads directory ("C:\\Users\\<User>\\Downloads") or the desktop ("C:\\Users\\<User>\\Desktop") to decompress the received zip file directly, which will play right into the attacker's hands.
Document.docx in the zip file is used to trick the victim into starting Word, and when Word starts, it loads the Normal.dotm file from the template library by default. The macro code in the malicious Normal.dotm connects to the remote shared folder "\\\\koliwoocli ents.com\\templates" via net use and then executes winnsc.exe from it. According to the association on the VT, the exe is a C# backdoor with the same functionality.
C# Backdoor
The cayote.log backdoor source code comes with some comments, and uses the function gjfdkgitjkg to decrypt strings using AES, and the results of decrypting some strings are as follows.
The main function of the backdoor is in an infinite loop, which first collects some device information, including the path to the current user's temporary directory, operating system version and bits, hostname, etc., and then splices the information together and sends it in a POST request to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/ drxbds23.php.
The response from the URL above is passed as an argument to the taskprogressAsync static method, which downloads the specified subsequent EXE file and executes it based on the response from the C2 server.
The parameters of taskprogressAsync are separated by "#", the first part is the name of the downloaded file, and the number in the third part is used to determine where to save the downloaded file.
Get the file data with the specified filename from hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.
The downloaded file data add {0x4D 0x5A} DOS header to repair the EXE, then verify whether the EXE is legal or not, then execute the EXE. The static method of executing the EXE has the same name as the decrypt string method, but it does not take any parameter.
The static method of executing the EXE has the same name as the decrypted string method, but it does not have any parameters. Finally, the code of whether the EXE execution is successful or not is sent back to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php.
The winnsc.exe planted by the malicious RAR archive does the same thing.
The URL used is as follows.
| - | - |
|---|---|
| URL | Description |
| hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/t eamzid.php | Return the collected device information to get the EXE file information for downloading |
| hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/teamidcrz/ |
Get the file data of the specified EXE |
| hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/teamsid.php | Returns a code indicating whether the EXE was executed successfully or not. |
Traceability
The above two attacks ultimately use the same C# backdoor, and the C&C server of the backdoor communication points to the sub-domain of esanojinjasvc.com, which was registered in April this year, so we can assume that these samples come from the same attack group.
We attribute the attack samples to the Bitter group because the network infrastructure of the Bitter group appears in the attack process. The kefe.bat script generated when the macro code of the xlam file builds persistence appears in the Bitter-related domain name www.keeferbeautytrends.com, and the script commands are in the same format as those commonly used by the Bitter [2]. The following figure shows the commands that appear in the previously disclosed Vermillion Bitter sample (MD5: 7452fb632fd824f882fa12f9bebd7aa7).
The remote server koliwooclients.com that Normal.dotm connects to in the malicious RAR was also disclosed by security researchers in August to be linked to the Craneflower attack campaign [3].
Summary
The above samples show that the Bitter group is trying new attack techniques and expanding new attack weapons in addition to the commonly used ones. The attackers borrowed tools from the victim's machine to compile the backdoor source code to avoid fixing the hash value of the binary file, and utilized the WinRAR vulnerability to achieve file overwriting and then trigger the execution of malicious macro code. However, the smooth operation of these samples requires a certain degree of the victim's device environment and operating habits, meaning that the attacker may have already obtained the relevant information through the preliminary information collection, but it is also possible that these samples are the attacker's test samples to verify the feasibility of the approach. The new C# backdoor eventually implanted on the victim's machine provides an entry point for deploying other attack weapons.
Protection Recommendations
Qi'anxin Threat Intelligence Center reminds users to be careful of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install APPs from unofficial sources, backup important files in a timely manner, and update and install patches.
If you need to run or install apps from unknown sources, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to identify them. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
At present, the full line of products based on the threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, and so on, already support the accurate detection of such attacks.
IOC
MD5
b165b489c5f8c4e136364664502d68f1
18164f7b3d320a79b6db634f718a1095
f6f2fdc38cd61d8d9e8cd35244585967
4bedd8e2b66cc7d64b293493ef5b8942
f16f2e4317c37085cad630d41001f7c3
C&C
keeferbeautytrends.com
koliwooclients.com
esanojinjasvc.com
URLs
hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php
hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php
hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php
hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/teamzid.php
hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/teamidcrz/
hxxps://teamlogin.esanojinjasvc.com/teamesano/drivers/teamsid.php
Reference Links
[1]. https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
[2]. https://x.com/RedDrip7/status/1962415190051573781
[3]. https://x.com/suyog41/status/1952990924210094369