The Bitter Advanced Persistent Threat (APT) group, also identified as APT-Q-37 and known in China as 蔓灵花, has initiated a sophisticated cyberespionage campaign targeting government agencies, military installations, and critical infrastructure in China and Pakistan. This operation employs weaponized Microsoft Office documents that exploit a previously undisclosed zero-day vulnerability in the WinRAR archive software to install custom C# backdoors on compromised systems.
Attack Vectors and Techniques
The campaign utilizes two primary infection vectors to deliver its malicious payloads:
1. Macro-Embedded Excel Files: Disguised as legitimate conference documents, these Excel files contain VBA macros designed to execute malicious code upon opening.
2. WinRAR Path Traversal Exploit: This method exploits a path traversal vulnerability in WinRAR, predating CVE-2023-38088, allowing attackers to manipulate file extraction processes to place malicious files in unintended directories.
Both methods culminate in the deployment of a C# backdoor engineered to exfiltrate sensitive data and execute arbitrary commands from remote servers.
Social Engineering and Targeting
The attackers have meticulously crafted social engineering lures, indicating thorough reconnaissance and victim profiling. By tailoring their tactics to specific personnel within government and defense sectors, they increase the likelihood of successful infiltration.
Discovery and Analysis
In October 2024, analysts from Qianxin detected anomalous network traffic patterns originating from compromised systems, leading to the identification of this malicious activity. Further investigation traced the infrastructure back to command-and-control servers hosted on the domain esanojinjasvc.com, registered in April 2024 specifically for this operation. The backdoor communicates with multiple subdomains, including msoffice.365cloudz.esanojinjasvc.com, employing advanced encryption techniques to evade network-based detection systems.
Attack Chain Details
The attack sequence initiates when victims receive phishing emails containing malicious RAR archives with filenames such as Provision of Information for Sectoral for AJK.rar. Upon extraction using vulnerable versions of WinRAR (7.11 or earlier), the archive exploits the path traversal flaw to overwrite the user’s Normal.dotm template file. Subsequently, when Microsoft Word is launched, it automatically loads the compromised template, triggering embedded macros that download and execute the winnsc.exe backdoor from a remote server using SMB network shares.
Persistence Mechanisms and Backdoor Functionality
To ensure continued access, the malware establishes multiple redundant persistence mechanisms:
– Batch File Creation: The macro code creates a batch file named kefe.bat in the Windows Startup directory.
– Scheduled Task: This script sets up a scheduled task titled OneDrive\Updates1100988844 that executes every 26 minutes, making POST requests to a specified URL.
The scheduled task command employs string obfuscation techniques to evade signature-based detection.
The C# backdoor utilizes AES encryption for string obfuscation through a dedicated decryption function named `gjfdkgitjkg()`. This function decrypts critical configuration data, including command-and-control (C2) URLs, file paths, and POST parameters. The backdoor continuously collects system information, such as the temporary directory path, operating system architecture, and hostname, transmitting this data to a specified C2 server. Based on responses from the C2 server, the malware downloads additional executables, repairs their PE headers by adding the DOS signature `{0x4D 0x5A}`, validates the file structure, and executes them while reporting success or failure codes back to the C2 server.
Implications and Recommendations
This campaign underscores the evolving technical capabilities and persistence mechanisms of the Bitter APT group. By exploiting a zero-day vulnerability in widely used software like WinRAR, the attackers demonstrate a high level of sophistication and resourcefulness.
To mitigate the risks associated with this threat, organizations are advised to:
– Update Software: Ensure that all software, particularly WinRAR, is updated to the latest versions to patch known vulnerabilities.
– Exercise Caution with Email Attachments: Be vigilant when opening email attachments, especially from unknown or untrusted sources.
– Implement Advanced Threat Detection: Deploy security solutions capable of detecting and mitigating advanced persistent threats and zero-day exploits.
– Conduct Regular Security Training: Educate employees on recognizing phishing attempts and the importance of cybersecurity best practices.
By adopting these measures, organizations can enhance their resilience against sophisticated cyberespionage campaigns like those conducted by the Bitter APT group.
