{"id":29940,"date":"2022-07-05T15:00:41","date_gmt":"2022-07-05T13:00:41","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=29940"},"modified":"2022-07-05T16:20:57","modified_gmt":"2022-07-05T14:20:57","slug":"whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/","title":{"rendered":"Whatever floats your Boat &#8211; Bitter APT continues to target Bangladesh"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Key_Findings\" >Key Findings<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Overview\" >Overview<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Analysis\" >Analysis<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Hosting_Infrastructure_Network_Indicators\" >Hosting Infrastructure \/ Network Indicators<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Yara_Rules\" >Yara Rules<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Indicators_of_Compromise\" >Indicators of Compromise<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#MITRE_ATT_CK_TTPs\" >MITRE ATT&amp;CK TTPs<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Key_Findings\"><\/span>Key Findings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>The SECUINFRA Falcon Team identified a recent attack consitent with the campaign targeting Bangladesh conducted by the advanced persistent threat group &#8220;Bitter&#8221;, also known as T-APT-17.<\/li>\n<li>Bitter employs malicious document files as lures containing different implementations of the so-called &#8220;Equation Editor exploits&#8221; to download following malware stages.<\/li>\n<li>The second stage consists of a Loader, which gathers information about the infected system and retrieves the third stage from a remote server.<\/li>\n<li>The third stage of a Bitter attack can feature different types of Malware e.g. Keyloggers, Stealers or Remote Access Trojans (RATs). We analyzed one of the newer utilized RATs, which we refer to as &#8220;Almond RAT&#8221;.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Bitter APT group is said to be active since at least 2013 was first reported about by <a  href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/bitter-targeted-attack-against-pakistan\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Forcepoint Labs in 2016<\/a> when it was primarily targeting Pakistan. The threat group is suspected to be located in southern Asia. Even back then the group was using spearphishing emails to exploit Microsoft Office (e.g. CVE-2012-0158) and download additional malware, so compared to their attacks today their modus operandi has not changed at all. Occasionally they also target Android devices with Remote Access Trojans, as reported by <a  href=\"https:\/\/www.bitdefender.com\/files\/News\/CaseStudies\/study\/352\/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >BitDefender in 2020<\/a>.<\/p>\n<p>In Februray of 2019 Palo Alto Networks documented Bitter attacks using a second stage Downloader dubbed <a  href=\"https:\/\/unit42.paloaltonetworks.com\/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >&#8220;ArtraDownloader&#8221;<\/a> which has been in use since 2017. Also Chinese and Saudi Arabian organizations were added to the list of targets.<\/p>\n<p>As discovered by Cyble and Kaspersky in 2021 the Bitter group is also capable of more than just old Office exploits, for example abusing 0-day vulnerabilities like a <a  href=\"https:\/\/blog.cyble.com\/2021\/02\/24\/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Windows Kernel vulnerability<\/a> (CVE-2021-1732) and a <a  href=\"https:\/\/securelist.com\/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild\/101898\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >vulnerability in the Windows Desktop Window Manager<\/a> (CVE-2021-28310) for privilege escalation.<\/p>\n<p>In May 2022 Cisco Talos shared an <a  href=\"https:\/\/blog.talosintelligence.com\/2022\/05\/bitter-apt-adds-bangladesh-to-their.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Analysis of a new Bitter campaign<\/a> targeting users in Bangladesh starting in October 2021 up to February 2022 with a new-ish second stage downloader called &#8220;ZxxZ&#8221;.<\/p>\n<p>This report builds on the findings published by Talos and covers an attack presumabily conducted in mid May 2022.<\/p>\n<p>Shortly before the completion of this report the Qi Anxin Threat Intellingence Center published a report on <a  href=\"https:\/\/mp.weixin.qq.com\/s\/8j_rHA7gdMxY1_X8alj8Zg\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >recent Bitter activities targeting military branches of Bangladesh<\/a>. They also mentioned the RAT sample analyzed in this blog post.<\/p>\n<p>On the 4th of July <a  href=\"https:\/\/twitter.com\/c3rb3ru5d3d53c\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" ><span class=\"css-901oao css-16my406 r-poiln3 r-bcqeeo r-qvutc0\">@c3rb3ru5d3d53c<\/span><\/a> released a <a  href=\"https:\/\/c3rb3ru5d3d53c.github.io\/malware-blog\/2022-07-04-bitter-apt-zxxz-backdoor\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >report about a Bitter campaign targeting Pakistan<\/a>. In addition to many analysis steps that match our approach, it was also demonstrated how the ZxxZ Downloader could be used with a custom C2 server.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Analysis\"><\/span>Analysis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>Excel Maldoc<\/h3>\n<p>The sample of the malicious Excel document (<em>1bf615946ad9ea7b5a282a8529641bf6<\/em>) was obtained through the public <a  href=\"https:\/\/app.any.run\/tasks\/a775ee67-5142-4d49-a6a9-fd14e82562e3\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Any.Run Sandbox<\/a> service. As with previous campaigns conducted by Bitter the file was likely distributed via a spearphishing email, which is not available for Analysis. The sample was previously mentioned by Simon Kenin (k3yp0d) on <a  href=\"https:\/\/twitter.com\/k3yp0d\/status\/1527656133837594624\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Twitter<\/a>.<\/p>\n<p>The filename of the document reads &#8220;Repair of different csoc cstc, china supplied system &#8211; BNS BIJOY.xls&#8221;. The abbreviations <em>csoc<\/em> and <em>cstc<\/em> likely stand for &#8220;China Shipbuilding &amp; Offshore International Co. Ltd&#8221; and &#8220;China Shipbuilding Trading Co. Ltd&#8221; respectively and BNS Bijoy is the name of a &#8220;Castle-class guided missile corvette&#8221; (small warship) of the Bangladesh Navy (<a  href=\"https:\/\/en.wikipedia.org\/wiki\/BNS_Bijoy\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Wikipedia<\/a>).<\/p>\n<p>The document does not contain readable content on the topic the filename suggests, only a white rectangle image and unicode characters, which should alert victims that it is not a legitimate document. As soon as the file is opened the Equation Editor exploit, which we identified as <a  href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-0798\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >CVE-2018-0798<\/a>, is executed.<\/p>\n<figure id=\"attachment_30130\" aria-describedby=\"caption-attachment-30130\" style=\"width: 657px\" class=\"wp-caption aligncenter\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-30130 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-excelsheet.png\" alt=\"\" width=\"657\" height=\"422\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet.png 930w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet-300x193.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet-768x493.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet-24x15.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet-36x23.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-excelsheet-48x31.png 48w\" sizes=\"(max-width: 657px) 100vw, 657px\" \/><figcaption id=\"caption-attachment-30130\" class=\"wp-caption-text\">Figure 1: Visible contents of the Excel document<\/figcaption><\/figure>\n<p>Without alerting the user in any way the Equation Editor is started in the background and used to download the next malware stage and execute it. By tracing the Process Tree with ProcMon we can see that the downloaded binary is written to C:\\$Drw\\fsutil.exe and executed by the Windows Explorer.<\/p>\n<figure id=\"attachment_30133\" aria-describedby=\"caption-attachment-30133\" style=\"width: 811px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-30133 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-equation-processtree.png\" alt=\"\" width=\"811\" height=\"143\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree.png 1191w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-300x53.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-1024x181.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-768x135.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-24x4.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-36x6.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-equation-processtree-48x8.png 48w\" sizes=\"(max-width: 811px) 100vw, 811px\" \/><figcaption id=\"caption-attachment-30133\" class=\"wp-caption-text\">Figure 2: Process Tree of Equation Editor<\/figcaption><\/figure>\n<p>To extract information from the Maldoc we opted for a dynamic approach first. By registering a debugger for the Equation Editor executable via gflags.exe, which is part of the Windows SDK, we are able to attach x32dbg to the process once the Excel document is opened (this technique was showcased by <a  href=\"https:\/\/www.youtube.com\/watch?v=aBWAHxpXHEk\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Colin Hardy<\/a> for CVE-2017-1182).<\/p>\n<figure id=\"attachment_30134\" aria-describedby=\"caption-attachment-30134\" style=\"width: 898px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-30134 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-maldoc-debug.png\" alt=\"\" width=\"898\" height=\"397\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug.png 1437w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-300x133.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-1024x452.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-768x339.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-36x16.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldoc-debug-48x21.png 48w\" sizes=\"(max-width: 898px) 100vw, 898px\" \/><figcaption id=\"caption-attachment-30134\" class=\"wp-caption-text\">Figure 3: Registering a debugger for Equation Editor<\/figcaption><\/figure>\n<p>Since Excel is waiting on the Equation Editor to exit, our debugging session will unfortunately be ended after a fixed amount of time with the error message below, so we will have to approach it differently.<\/p>\n<figure id=\"attachment_30136\" aria-describedby=\"caption-attachment-30136\" style=\"width: 475px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30136 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-debug-oleerror.png\" alt=\"\" width=\"475\" height=\"110\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-oleerror.png 475w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-oleerror-300x69.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-oleerror-24x6.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-oleerror-36x8.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-oleerror-48x11.png 48w\" sizes=\"(max-width: 475px) 100vw, 475px\" \/><figcaption id=\"caption-attachment-30136\" class=\"wp-caption-text\">Figure 4: Error dialog while debugging Equation Editor<\/figcaption><\/figure>\n<p>With the well-known <a  href=\"https:\/\/blog.didierstevens.com\/programs\/oledump-py\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >oledump<\/a> tool developed by Didier Stevens we can take a look at the data streams inside the Excel file. In this case the stream A4, which is named Equation Native is of particular interest for us.<\/p>\n<figure id=\"attachment_30137\" aria-describedby=\"caption-attachment-30137\" style=\"width: 729px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30137 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-oledump.png\" alt=\"\" width=\"729\" height=\"115\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-oledump.png 729w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-oledump-300x47.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-oledump-24x4.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-oledump-36x6.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-oledump-48x8.png 48w\" sizes=\"(max-width: 729px) 100vw, 729px\" \/><figcaption id=\"caption-attachment-30137\" class=\"wp-caption-text\">Figure 5: Viewing the contents of the Excel file with oledump<\/figcaption><\/figure>\n<p>By specifying the stream and the -d parameter we can dump it to analyze it further.<\/p>\n<figure id=\"attachment_30138\" aria-describedby=\"caption-attachment-30138\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30138 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-dump-cmd.png\" alt=\"\" width=\"790\" height=\"34\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd.png 790w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd-300x13.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd-768x33.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd-24x1.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd-36x2.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-cmd-48x2.png 48w\" sizes=\"(max-width: 790px) 100vw, 790px\" \/><figcaption id=\"caption-attachment-30138\" class=\"wp-caption-text\">Figure 6: Dumping the Equation stream<\/figcaption><\/figure>\n<p>Opening the dumped file in a hex editor we can visually identify two different segments of data. Highlighted in green we see data that is likely the shellcode required for the Equation Editor exploit. Since there are next to no readable ASCII strings in there (looking closely we can spot fragments that look like &#8220;URL&#8221; or &#8220;http&#8221;) this data is likely encoded or encrypted in some way. Below that we can see data in a repeating pattern which is used as padding for the memory corruption exploit CVE-2018-0798.<\/p>\n<figure id=\"attachment_30139\" aria-describedby=\"caption-attachment-30139\" style=\"width: 623px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30139 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-dump-hex.png\" alt=\"\" width=\"623\" height=\"462\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex.png 894w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex-300x222.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex-768x569.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex-24x18.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex-36x27.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-dump-hex-48x36.png 48w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><figcaption id=\"caption-attachment-30139\" class=\"wp-caption-text\">Figure 7: Analyzing the shellcode in a Hex editor<\/figcaption><\/figure>\n<p>In an attempt to decode the shellcode portion of the data we ran a frequency analysis (a very useful feature of the Okteta hex editor) on it to determine which values occur the most, since in a 2019 report by <a  href=\"https:\/\/news.sophos.com\/en-us\/2019\/07\/18\/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Sophos Labs<\/a> a maldoc builder for CVE-2018-0798 was analyzed which implements a XOR-based encoding for the shellcode. For this maldoc the most frequent byte is FF so we assume that this could be encoded null bytes and therefore FF could be the key in a single-byte XOR encoding.<\/p>\n<figure id=\"attachment_30140\" aria-describedby=\"caption-attachment-30140\" style=\"width: 880px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30140 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-shellcode-frequency.png\" alt=\"\" width=\"880\" height=\"336\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency.png 1184w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-300x115.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-1024x391.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-768x293.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-36x14.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-frequency-48x18.png 48w\" sizes=\"(max-width: 880px) 100vw, 880px\" \/><figcaption id=\"caption-attachment-30140\" class=\"wp-caption-text\">Figure 8: Running frequency analysis on the shellcode<\/figcaption><\/figure>\n<p>Using Cyberchef with the presumed shellcode section and XOR key does yield readable strings. From here we can extract important information about the executed shellcode and indicators like the URL for the next malware stage.<\/p>\n<figure id=\"attachment_30156\" aria-describedby=\"caption-attachment-30156\" style=\"width: 714px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30156 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-shellcode-xor.png\" alt=\"\" width=\"714\" height=\"430\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor.png 1016w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor-300x181.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor-768x463.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor-24x14.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor-36x22.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-shellcode-xor-48x29.png 48w\" sizes=\"(max-width: 714px) 100vw, 714px\" \/><figcaption id=\"caption-attachment-30156\" class=\"wp-caption-text\">Figure 9: Decoding the XOR-ed shellcode<\/figcaption><\/figure>\n<p>The visualization below shows the most important API calls made in the shellcode:<\/p>\n<figure id=\"attachment_30157\" aria-describedby=\"caption-attachment-30157\" style=\"width: 863px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30157\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-maldocGraph.png\" alt=\"\" width=\"863\" height=\"315\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph.png 2560w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-300x109.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-1024x373.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-768x280.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-1536x560.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-2048x747.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-36x13.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-maldocGraph-48x17.png 48w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><figcaption id=\"caption-attachment-30157\" class=\"wp-caption-text\">Figure 10: Graph showing the functionality of the maldoc shellcode<\/figcaption><\/figure>\n<p>By debugging the Equation Editor exploit again and manually placing a breakpoint on e.g. URLDownloadToFileA we can confirm these findings.<\/p>\n<figure id=\"attachment_30158\" aria-describedby=\"caption-attachment-30158\" style=\"width: 568px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30158 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-urlmon.png\" alt=\"\" width=\"568\" height=\"491\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon.png 914w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon-300x260.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon-768x665.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon-24x21.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon-36x31.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-urlmon-48x42.png 48w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><figcaption id=\"caption-attachment-30158\" class=\"wp-caption-text\">Figure 11: Manually loading urlmon.dll to place a breakpoint on URLDownloadToFileA<\/figcaption><\/figure>\n<p>The download query to emshedulersvc[.]com\/vc\/vc returns a sample of Bitters second stage Downloader, which we will investigate next.<\/p>\n<figure id=\"attachment_30159\" aria-describedby=\"caption-attachment-30159\" style=\"width: 823px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30159 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-debug-url.png\" alt=\"\" width=\"823\" height=\"343\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url.png 2560w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-300x125.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-1024x427.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-768x320.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-1536x640.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-2048x853.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-24x10.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-36x15.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-debug-url-48x20.png 48w\" sizes=\"(max-width: 823px) 100vw, 823px\" \/><figcaption id=\"caption-attachment-30159\" class=\"wp-caption-text\">Figure 12: Breaking on URLDownloadToFile<\/figcaption><\/figure>\n<h3>ZxxZ \/ MuuyDownloader<\/h3>\n<p>Since approximately the second half of 2021 Bitter switched from their second-stage ArtraDownloader to a new, but similar implementation named <a  href=\"https:\/\/blog.talosintelligence.com\/2022\/05\/bitter-apt-adds-bangladesh-to-their.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >&#8220;ZxxZ&#8221;<\/a> by Talos and <a  href=\"https:\/\/mp.weixin.qq.com\/s?__biz=MzI2MDc2MDA4OA==&amp;mid=2247495644&amp;idx=1&amp;sn=f09a360fa8630fa55eb09c08357d7627&amp;scene=21#wechat_redirect\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >&#8220;MuuyDownloader&#8221;<\/a> by Qi Anxin Threat Intelligence Center. It is implemented in Visual C++ and does not appear to be packed on first inspection. The compilation timestamp suggests this binary was built on the 11th of May 2022, which matches the timeframe for the malicious document.<\/p>\n<figure id=\"attachment_30160\" aria-describedby=\"caption-attachment-30160\" style=\"width: 809px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30160 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-die-vc.png\" alt=\"\" width=\"809\" height=\"343\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc.png 1549w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-300x127.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-1024x434.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-768x325.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-1536x650.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-24x10.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-36x15.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-die-vc-48x20.png 48w\" sizes=\"(max-width: 809px) 100vw, 809px\" \/><figcaption id=\"caption-attachment-30160\" class=\"wp-caption-text\">Figure 13: Detect it Easy parsing the PE file, Entropy graph<\/figcaption><\/figure>\n<p>Comparing this fingerprinting function to the one documented by Cisco Talos we can see that Bitter abandoned the ZxxZ value separator (that gave the Downloader its name) in exchange for a simple underscore. This was possibly done to avoid detection through IDS\/IPS systems based on this very specific separator. Looking back at older Bitter Research we can see that the threat group likes to change up these patterns from time to time to avoid detection.<\/p>\n<figure id=\"attachment_30161\" aria-describedby=\"caption-attachment-30161\" style=\"width: 405px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30161 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-ZxxZ-fingerprint.png\" alt=\"\" width=\"405\" height=\"319\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-fingerprint.png 405w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-fingerprint-300x236.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-fingerprint-24x19.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-fingerprint-36x28.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-fingerprint-48x38.png 48w\" sizes=\"(max-width: 405px) 100vw, 405px\" \/><figcaption id=\"caption-attachment-30161\" class=\"wp-caption-text\">Figure 14: ZxxZ gathering system information<\/figcaption><\/figure>\n<p>The check-in with an attacker-controlled staging server contains the user account and hostname of the system. The function below manually assembles the HTTP GET request and sends it via a socket connection to the C2 server.<\/p>\n<figure id=\"attachment_30162\" aria-describedby=\"caption-attachment-30162\" style=\"width: 363px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30162\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-ZxxZ-get.png\" alt=\"\" width=\"363\" height=\"420\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-get.png 441w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-get-259x300.png 259w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-get-21x24.png 21w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-get-31x36.png 31w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-get-42x48.png 42w\" sizes=\"(max-width: 363px) 100vw, 363px\" \/><figcaption id=\"caption-attachment-30162\" class=\"wp-caption-text\">Figure 15: ZxxZ sending a GET request with the host fingerprint to the C2<\/figcaption><\/figure>\n<p>We verified this network communication using packet captures. Another common indicator across Bitter infrastructure is the use of the LiteSpeed web server, which has been documented in older reports as well.<\/p>\n<figure id=\"attachment_30163\" aria-describedby=\"caption-attachment-30163\" style=\"width: 586px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30163\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-ZxxZ-wireshark.png\" alt=\"\" width=\"586\" height=\"223\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-wireshark.png 644w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-wireshark-300x114.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-wireshark-24x9.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-wireshark-36x14.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-wireshark-48x18.png 48w\" sizes=\"(max-width: 586px) 100vw, 586px\" \/><figcaption id=\"caption-attachment-30163\" class=\"wp-caption-text\">Figure 16: Packet capture of the GET request above<\/figcaption><\/figure>\n<p>After retrieving the next malware stage from a staging server ZxxZ writes the binary to the disk and tries to execute it. In the screenshot below we can see that the Bitter group altered the C2 opcode strings that Talos had previously documented as DN-S (download success) and RN_E (run error) to just S and F, presumably short for <strong>Success<\/strong> and <strong>Failure<\/strong>. This is likely another measure to evade older detection rules. The payload execution was also changed to use CreateProcessA instead of ShellExecuteA like in the older version of ZxxZ.<\/p>\n<figure id=\"attachment_30165\" aria-describedby=\"caption-attachment-30165\" style=\"width: 623px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30165 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-ZxxZ-process.png\" alt=\"\" width=\"623\" height=\"388\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-process.png 702w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-process-300x187.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-process-24x15.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-process-36x22.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-process-48x30.png 48w\" sizes=\"(max-width: 623px) 100vw, 623px\" \/><figcaption id=\"caption-attachment-30165\" class=\"wp-caption-text\">Figure 17: ZxxZ retrieving and executing the next stage<\/figcaption><\/figure>\n<p>Unfortunately the actual payload could not be retrieved from the staging server as it only returned an empty file named CAPT.msi.<\/p>\n<figure id=\"attachment_30166\" aria-describedby=\"caption-attachment-30166\" style=\"width: 408px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30166\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-ZxxZ-3rdstage.png\" alt=\"\" width=\"408\" height=\"458\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-3rdstage.png 477w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-3rdstage-267x300.png 267w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-3rdstage-21x24.png 21w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-3rdstage-32x36.png 32w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-ZxxZ-3rdstage-43x48.png 43w\" sizes=\"(max-width: 408px) 100vw, 408px\" \/><figcaption id=\"caption-attachment-30166\" class=\"wp-caption-text\">Figure 18: Request made to another staging server for the third stage<\/figcaption><\/figure>\n<h3>Almond RAT<\/h3>\n<p>Information on the Remote Access Trojans (RATs) deployed by Bitter (with one commonly referred to as <a  href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.bitter_rat\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >BitterRAT<\/a>) is limited and sometimes contradictory. We found that Bitter deploys different RAT implementations \/ variants depending on the scenario and target.<\/p>\n<p>In this case we analyzed a sample of a .NET-based RAT that we were not able to identify through previous reports or open source repositories. For the lack of an existing detection and a better name we will refer to it as &#8220;Almond RAT&#8221; for this analysis. The sample was first mentioned by the Twitter user <a  href=\"https:\/\/twitter.com\/binlmmhc\/status\/1530115191069110273\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >@binlmmhc<\/a>. The recent report by Qi Anxin mentioned above refers to this RAT only as &#8220;lightweight remote control&#8221;.<\/p>\n<figure id=\"attachment_30167\" aria-describedby=\"caption-attachment-30167\" style=\"width: 604px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30167\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-rat-die.png\" alt=\"\" width=\"604\" height=\"326\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-die.png 750w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-die-300x162.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-die-24x13.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-die-36x19.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-die-48x26.png 48w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><figcaption id=\"caption-attachment-30167\" class=\"wp-caption-text\">Figure 19: Detect it Easy parsing the Almond RAT PE file<\/figcaption><\/figure>\n<h3>Basic functionality<\/h3>\n<p>The main function of the RAT checks for the mutex string saebamini.com SingletonApp before calling the StartClient function. Turns out even skilled threat actors need to look up the really simple things sometimes: in this case a short tutorial about <a  href=\"https:\/\/saebamini.com\/Allowing-only-one-instance-of-a-C-app-to-run\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Allowing Only One Instance of a C# Application to Run<\/a> which uses this same mutex string. As always they copied only half of the answer and forgot to include the call to ReleaseMutex at the end&#8230;<\/p>\n<figure id=\"attachment_30169\" aria-describedby=\"caption-attachment-30169\" style=\"width: 466px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30169\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-RAT-main.png\" alt=\"\" width=\"466\" height=\"218\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-main.png 511w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-main-300x140.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-main-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-main-36x17.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-main-48x22.png 48w\" sizes=\"(max-width: 466px) 100vw, 466px\" \/><figcaption id=\"caption-attachment-30169\" class=\"wp-caption-text\">Figure 20: Main function, setting a Mutex<\/figcaption><\/figure>\n<p>Almond RAT employs string encryption to hinder detection and reverse engineering. Important \/ revealing strings like the Command&amp;Control (C2) IP address below are therefore wrapped in the ciphertext.Decrypt function.<\/p>\n<figure id=\"attachment_30171\" aria-describedby=\"caption-attachment-30171\" style=\"width: 578px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30171\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-rat-strenc.png\" alt=\"\" width=\"578\" height=\"132\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-strenc.png 687w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-strenc-300x69.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-strenc-24x5.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-strenc-36x8.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-strenc-48x11.png 48w\" sizes=\"(max-width: 578px) 100vw, 578px\" \/><figcaption id=\"caption-attachment-30171\" class=\"wp-caption-text\">Figure 21: StartClient fuction, showing the AES string encryption<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>The decryption function implements a default AES-256-CBC encryption scheme where the IV and key are derived from the given plaintext password via PDKDF2. Since it is trivial to reimplement this in e.g. Python we decrypted all of the encrypted strings in the binary and modified the .NET assembly to increase code readability for this report. The file hashes of the unaltered and modified binaries can be found in the IoC section at the end of the post.<\/p>\n<figure id=\"attachment_30170\" aria-describedby=\"caption-attachment-30170\" style=\"width: 786px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30170\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-rat-stringdecrypt.png\" alt=\"\" width=\"786\" height=\"370\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt.png 886w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt-300x141.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt-768x361.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt-36x17.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-rat-stringdecrypt-48x23.png 48w\" sizes=\"(max-width: 786px) 100vw, 786px\" \/><figcaption id=\"caption-attachment-30170\" class=\"wp-caption-text\">Figure 22: String decryption function using AES CBC<\/figcaption><\/figure>\n<p>The StartClient function implements the socket-based C2 communication interface for Almond RAT. In the samples we observed there were no domains or dynamic DNS services but only IPv4 addresses used to connect back to the threat actors. A characteristic property of the RAT is the usage of the tcp port\u00a0 33638 . When first contacting the C2 server Almond RAT transmits gathered system information like hostname, OS version, internal IP address and MAC address and storage identifiers (disk info is not transmitted) to fingerprint the infected system. A 1024 byte buffer is used for the C2 communication.<\/p>\n<figure id=\"attachment_30172\" aria-describedby=\"caption-attachment-30172\" style=\"width: 716px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-30172 \" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-RAT-start.png\" alt=\"\" width=\"716\" height=\"493\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start.png 893w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start-300x207.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start-768x529.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start-24x17.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start-36x25.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-RAT-start-48x33.png 48w\" sizes=\"(max-width: 716px) 100vw, 716px\" \/><figcaption id=\"caption-attachment-30172\" class=\"wp-caption-text\">Figure 23: StartClient function<\/figcaption><\/figure>\n<h3>Capabilities &amp; C2 communication<\/h3>\n<p>Next well will further investigate the functionality of Almond RAT.\u00a0 At the beginning of the StartCommWithServer function the RAT sets a random receive timeout between 20 and 30 seconds for the socket. The analyzed sample accepts seven different commands in total. The REFRESH command is used as a heartbeat signal, letting the C2 server know that the RAT is still active and will reply with a simple OK.<\/p>\n<p>The DRIVE command returns a list of connected storage devices.<\/p>\n<p>With the DELETE* command the attackers can delete accessible files by supplying a path. In case of e.g. insufficient permissions it will return the exception. The * in the command string is used as a separator between the command and the file path.<\/p>\n<figure id=\"attachment_30173\" aria-describedby=\"caption-attachment-30173\" style=\"width: 568px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30173\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-c2-basics.png\" alt=\"\" width=\"568\" height=\"418\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-basics.png 606w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-basics-300x221.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-basics-24x18.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-basics-36x26.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-basics-48x35.png 48w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><figcaption id=\"caption-attachment-30173\" class=\"wp-caption-text\">Figure 24: Basic C2 functionality<\/figcaption><\/figure>\n<p>Almond RAT allows for the execution of arbitrary commands via a wrapped cmd.exe instance. It has its own implementation for directory changes via cd and directory listings via OK. The CMD command uses a tilde instead of an asterisk to separate the parts of the command.<\/p>\n<figure id=\"attachment_30174\" aria-describedby=\"caption-attachment-30174\" style=\"width: 561px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30174\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-c2-cmd.png\" alt=\"\" width=\"561\" height=\"477\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-cmd.png 671w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-cmd-300x255.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-cmd-24x20.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-cmd-36x31.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-cmd-48x41.png 48w\" sizes=\"(max-width: 561px) 100vw, 561px\" \/><figcaption id=\"caption-attachment-30174\" class=\"wp-caption-text\">Figure 25: Command execution<\/figcaption><\/figure>\n<p>In addition to the functionality of listing directories and files via the command prompt the RAT also supports a quite involved DIR* command. It is capable of verifying file accessibility and displaying meta data like the last file write-time.<\/p>\n<figure id=\"attachment_30176\" aria-describedby=\"caption-attachment-30176\" style=\"width: 898px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30176\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-c2-dir.png\" alt=\"\" width=\"898\" height=\"500\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir.png 1382w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-300x167.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-1024x571.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-768x428.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-24x13.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-36x20.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-dir-48x27.png 48w\" sizes=\"(max-width: 898px) 100vw, 898px\" \/><figcaption id=\"caption-attachment-30176\" class=\"wp-caption-text\">Figure 26: Directory and File listings<\/figcaption><\/figure>\n<p>Since Bitters main objective is espionage they need a way to exfiltrate data to the C2 server from the system, which is done via the DOWNLOAD* command.<\/p>\n<p>To drop more malware or other files onto the system it also supports the UPLOAD* command which uses the following file naming scheme: yyyyMMdd-hhmmss_filename<\/p>\n<figure id=\"attachment_30177\" aria-describedby=\"caption-attachment-30177\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30177\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-c2-updown.png\" alt=\"\" width=\"911\" height=\"533\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown.png 1311w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-300x176.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-1024x599.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-768x449.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-24x14.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-36x21.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-updown-48x28.png 48w\" sizes=\"(max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30177\" class=\"wp-caption-text\">Figure 27: DOWNLOAD* and UPLOAD* functions<\/figcaption><\/figure>\n<p>In case the RAT receives an unknown command from the operator it will return the message XXX to indicate the error.<\/p>\n<figure id=\"attachment_30178\" aria-describedby=\"caption-attachment-30178\" style=\"width: 369px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-30178\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bitter-c2-xxx.png\" alt=\"\" width=\"369\" height=\"162\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-xxx.png 408w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-xxx-300x132.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-xxx-24x11.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-xxx-36x16.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/bitter-c2-xxx-48x21.png 48w\" sizes=\"(max-width: 369px) 100vw, 369px\" \/><figcaption id=\"caption-attachment-30178\" class=\"wp-caption-text\">Figure 28: Exception handling in case of an unknown command<\/figcaption><\/figure>\n<p>Almond RATs main purposes seem to be file system discovery, data exfiltration and a way to load more tools\/establish persistence. The design of the tools seems to be layed out in way that it can be quickly modified and adapted to the current attack scenario.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Hosting_Infrastructure_Network_Indicators\"><\/span>Hosting Infrastructure \/ Network Indicators<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>WHOIS and DNS Records<\/h3>\n<p>The staging server for the Downloader and the staging server for the RAT are hosted with Host Sailor. The Command&amp;Control server for the Downloader is hosted with Namecheap and the one for Almond RAT is hosted with Nexeon Technologies. Except for the samples analysed in this report there was no other significant malware activity detected with these four domains.<\/p>\n<p><strong>Staging server ZxxZ downloader<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"94\"><strong>Domain<\/strong><\/td>\n<td width=\"217\"><strong>emshedulersvc[.]com<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Registrar<\/strong><\/td>\n<td width=\"217\">ENOM Inc.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Hoster<\/strong><\/td>\n<td width=\"217\">Host Sailor Ltd.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Created<\/strong><\/td>\n<td width=\"217\">10.05.2022 &#8211; 91.195.240[.]103<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Updated<\/strong><\/td>\n<td width=\"217\">12.05.2022 &#8211; 194.36.191[.]196<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>C2 server ZxxZ downloader<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"94\"><strong>Domain<\/strong><\/td>\n<td width=\"217\"><strong>huandocimama[.]com\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Registrar<\/strong><\/td>\n<td width=\"217\">Namecheap Inc.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Hoster<\/strong><\/td>\n<td width=\"217\">Namecheap Inc.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Created<\/strong><\/td>\n<td width=\"217\">19.08.2021 &#8211; 162.0.232[.]109<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Updated<\/strong><\/td>\n<td width=\"217\">N\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Staging server third stage<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"94\"><strong>Domain<\/strong><\/td>\n<td width=\"217\"><strong>diyefosterfeeds[.]com<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Registrar<\/strong><\/td>\n<td width=\"217\">ENOM Inc.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Hoster<\/strong><\/td>\n<td width=\"217\">Host Sailor Ltd.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Created<\/strong><\/td>\n<td width=\"217\">02.02.2022 &#8211; 194.36.191[.]196<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Updated<\/strong><\/td>\n<td width=\"217\">N\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Almond RAT C2 server<\/strong><\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"94\"><strong>Domain<\/strong><\/td>\n<td width=\"217\"><strong>64.44.131[.]109<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Hoster<\/strong><\/td>\n<td width=\"217\">Nexeon Technologies Inc.<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>ASN<\/strong><\/td>\n<td width=\"217\">AS20278<\/td>\n<\/tr>\n<tr>\n<td width=\"94\"><strong>Created<\/strong><\/td>\n<td width=\"217\">27.02.2014<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>While investigating these DNS entries we also noticed that on the 30.05.2022 a new record for spurshipbroker[.]com on 194.36.191[.]196 was created. This domain seems to be a so-called &#8220;typosquat&#8221; (impersonation) of spurshipbrokers[.]com, an Indian Marine Shipping and Transport company. This record stood out between seemingly legitimate webhosting and typosquats for banking sites on this Webhost\/IP used by Bitter. While we do not have further evidence at this point in time that this is related to the Bitter activity it certainly does fit the approach of the group and the Naval-themed lure.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Yara_Rules\"><\/span>Yara Rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Yara rule set we created for this report can be found below, in our Github Repository: <a  href=\"https:\/\/github.com\/SIFalcon\/Detection\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >SIFalcon\/Detection<\/a> and on <a  href=\"https:\/\/yaraify.abuse.ch\/\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Abuse.ch Yaraify<\/a>.<\/p>\n<p>\/*<br \/>\nYara Rule Set<br \/>\nAuthor: SECUINFRA Falcon Team<br \/>\nDate: 2022-06-23<br \/>\nIdentifier: 0x03-yara_win-Bitter_T-APT-17<br \/>\nReference: &#8220;https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh&#8221;<br \/>\n*\/<\/p>\n<p>\/* Rule Set &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; *\/<\/p>\n<p>rule APT_Bitter_Maldoc_Verify {<\/p>\n<p>meta:<br \/>\ndescription = &#8220;Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)&#8221;<br \/>\nauthor = &#8220;SECUINFRA Falcon Team (@SI_FalconTeam)&#8221;<br \/>\ntlp = &#8220;WHITE&#8221;<br \/>\nreference = &#8220;https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh&#8221;<br \/>\ndate = &#8220;2022-06-01&#8221;<br \/>\nhash0 = &#8220;0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450&#8221;<br \/>\nhash1 = &#8220;bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d&#8221;<br \/>\nhash2 = &#8220;3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6&#8221;<\/p>\n<p>strings:<br \/>\n\/\/ This rule is meant to be used for verification of a Bitter Maldoc<br \/>\n\/\/ rather than a hunting rule since the oleObject it is matching is<br \/>\n\/\/ compressed in the doc zip<\/p>\n<p>$xor_string0 = &#8220;LoadLibraryA&#8221; xor<br \/>\n$xor_string1 = &#8220;urlmon.dll&#8221; xor<br \/>\n$xor_string2 = &#8220;Shell32.dll&#8221; xor<br \/>\n$xor_string3 = &#8220;ShellExecuteA&#8221; xor<br \/>\n$xor_string4 = &#8220;MoveFileA&#8221; xor<br \/>\n$xor_string5 = &#8220;CreateDirectoryA&#8221; xor<br \/>\n$xor_string6 = &#8220;C:\\\\Windows\\\\explorer&#8221; xor<br \/>\n$padding = {000001128341000001128341000001128342000001128342}<\/p>\n<p>condition:<br \/>\n3 of ($xor_string*)<br \/>\nand $padding<br \/>\n}<\/p>\n<p>rule APT_Bitter_ZxxZ_Downloader {<\/p>\n<p>meta:<br \/>\ndescription = &#8220;Detects Bitter (T-APT-17) ZxxZ Downloader&#8221;<br \/>\nauthor = &#8220;SECUINFRA Falcon Team (@SI_FalconTeam)&#8221;<br \/>\ntlp = &#8220;WHITE&#8221;<br \/>\nreference = &#8221; https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh&#8221;<br \/>\ndate = &#8220;2022-06-01&#8221;<br \/>\nhash0 = &#8220;91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42&#8221;<br \/>\nhash1 = &#8220;90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787&#8221;<br \/>\nhash2 = &#8220;69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61&#8221;<br \/>\nhash3 = &#8220;3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3&#8221;<br \/>\nhash4 = &#8220;fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92&#8221;<\/p>\n<p>strings:<br \/>\n\/\/ old ZxxZ samples \/ decrypted strings<br \/>\n$old0 = &#8220;MsMp&#8221; ascii<br \/>\n$old1 = &#8220;SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion&#8221; ascii<br \/>\n$old2 = &#8220;&amp;&amp;user=&#8221; ascii<br \/>\n$old3 = &#8220;DN-S&#8221; ascii<br \/>\n$old4 = &#8220;RN_E&#8221; ascii<\/p>\n<p>\/\/ new ZxxZ samples<br \/>\n$c2comm0 = &#8220;GET \/&#8221; ascii<br \/>\n$c2comm1 = &#8220;profile&#8221; ascii<br \/>\n$c2comm2 = &#8220;.php?&#8221; ascii<br \/>\n$c2comm3 = &#8220;data=&#8221; ascii<br \/>\n$c2comm4 = &#8220;Update&#8221; ascii<br \/>\n$c2comm5 = &#8220;TTT&#8221; ascii<\/p>\n<p>condition:<br \/>\nuint16(0) == 0x5a4d<br \/>\nand filesize &gt; 39KB \/\/ Size on Disk\/1.5<br \/>\nand filesize &lt; 2MB \/\/ Size of Image*1.5<\/p>\n<p>and (all of ($old*)) or (all of ($c2comm*))<\/p>\n<p>}<\/p>\n<p>import &#8220;pe&#8221;<br \/>\nimport &#8220;dotnet&#8221;<\/p>\n<p>rule APT_Bitter_Almond_RAT {<\/p>\n<p>meta:<br \/>\ndescription = &#8220;Detects Bitter (T-APT-17) Almond RAT (.NET)&#8221;<br \/>\nauthor = &#8220;SECUINFRA Falcon Team (@SI_FalconTeam)&#8221;<br \/>\ntlp = &#8220;WHITE&#8221; reference = &#8221; https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh&#8221;<br \/>\ndate = &#8220;2022-06-01&#8221; hash = &#8220;55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396&#8221;<\/p>\n<p>strings:<br \/>\n$function0 = &#8220;GetMacid&#8221; ascii<br \/>\n$function1 = &#8220;StartCommWithServer&#8221; ascii<br \/>\n$function2 = &#8220;sendingSysInfo&#8221; ascii<br \/>\n$dbg0 = &#8220;*|END|*&#8221; wide<br \/>\n$dbg1 = &#8220;FILE&gt;&#8221; wide<br \/>\n$dbg2 = &#8220;[Command Executed Successfully]&#8221; wide<\/p>\n<p>condition:<br \/>\nuint16(0) == 0x5a4d<br \/>\nand dotnet.version == &#8220;v4.0.30319&#8221;<br \/>\nand filesize &gt; 12KB \/\/ Size on Disk\/1.5<br \/>\nand filesize &lt; 68KB \/\/ Size of Image*1.5<br \/>\nand any of ($function*)<br \/>\nand any of ($dbg*)<br \/>\n}<\/p>\n<p>rule APT_Bitter_PDB_Paths {<\/p>\n<p>meta:<br \/>\ndescription = &#8220;Detects Bitter (T-APT-17) PDB Paths&#8221;<br \/>\nauthor = &#8220;SECUINFRA Falcon Team (@SI_FalconTeam)&#8221;<br \/>\ntlp = &#8220;WHITE&#8221;<br \/>\nreference = &#8220;https:\/\/testing.secuinfra.com\/en\/techtalk\/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh&#8221;<br \/>\ndate = &#8220;2022-06-22&#8221;<br \/>\nhash0 = &#8220;55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396&#8221;<\/p>\n<p>strings:<br \/>\n\/\/ Almond RAT<br \/>\n$pdbPath0 = &#8220;C:\\\\Users\\\\Window 10 C\\\\Desktop\\\\COMPLETED WORK\\\\&#8221; ascii<br \/>\n$pdbPath1 = &#8220;stdrcl\\\\stdrcl\\\\obj\\\\Release\\\\stdrcl.pdb&#8221;<\/p>\n<p>\/\/ found by Qi Anxin Threat Intellingence Center<br \/>\n\/\/ reference: https:\/\/mp.weixin.qq.com\/s\/8j_rHA7gdMxY1_X8alj8Zg<br \/>\n$pdbPath2 = &#8220;g:\\\\Projects\\\\cn_stinker_34318\\\\&#8221;<br \/>\n$pdbPath3 = &#8220;renewedstink\\\\renewedstink\\\\obj\\\\Release\\\\stimulies.pdb&#8221;<\/p>\n<p>condition:<br \/>\nuint16(0) == 0x5a4d<br \/>\nand any of ($pdbPath*)<br \/>\n}<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Indicators_of_Compromise\"><\/span>Indicators of Compromise<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>Samples<\/h3>\n<p>All of the samples mentioned in this report have been made available through the public Malware repositories MalwareBazaar and Malshare for verification and further research.<\/p>\n<h4>Maldoc<\/h4>\n<p>Filename: Repair of different csoc cstc, china supplied system &#8211; BNS BIJOY.xlsx<br \/>\nMD5: 1bf615946ad9ea7b5a282a8529641bf6<br \/>\nSHA1: 358867f105b517624806c3315c5426803f7c42a7<br \/>\nSHA256: bc03923e3cc2895893571068fd20dd0bc626764d06a009b91dac27982e40a085<\/p>\n<p><strong>Extracted oleObject:<\/strong><\/p>\n<p>MD5: a1d9e1dccfbba118d52f95ec6cc7c943<br \/>\nSHA1: 8efa4d5574a0c80733e9824ec146521385a68424<br \/>\nSHA256: 0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450<\/p>\n<h4>ZxxZ \/ Muuy Downloader<\/h4>\n<p>Filename: vc<br \/>\nMD5: 6e4b4eb701f3410ebfb5925db32b25dc<br \/>\nSHA1: c330ef43bbee001296c6c120cf68e4c90d078d9c<br \/>\nSHA256: 91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42<\/p>\n<h4>Almond RAT<\/h4>\n<p>Filename: stdrcl.exe<br \/>\nMD5: 71e1cfb5e5a515cea2c3537b78325abf<br \/>\nSHA1: bcc9e35c28430264575831e851182eca7219116f<br \/>\nSHA256: 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396<\/p>\n<p><strong>Modified assembly with decrypted strings:<\/strong><\/p>\n<p>MD5: d58e6f93bd1eb81eacc965d530709246<br \/>\nSHA1: a47aec515f303ae7f427d98fc69fe828fa9c6ec6<br \/>\nSHA256: d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691<\/p>\n<h3>Host-based Indicators<\/h3>\n<p># File paths associated with the Downloader<br \/>\nC:\\$Drw\\dsw<br \/>\nC:\\$Drw\\fsutil.exe<\/p>\n<p># Almond RAT Mutex<br \/>\nsaebamini.com SingletonApp<\/p>\n<h3>Network-based Indicators<\/h3>\n<p>emshedulersvc[.]com\/vc\/vc<br \/>\nm.huandocimama[.]com<br \/>\ndiyefosterfeeds[.]com<\/p>\n<p>91.195.240[.]103<br \/>\n194.36.191[.]196<br \/>\n162.0.232[.]109<br \/>\n64.44.131[.]109<\/p>\n<h2><span class=\"ez-toc-section\" id=\"MITRE_ATT_CK_TTPs\"><\/span>MITRE ATT&amp;CK TTPs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3>First stage &#8211; Initial Compromise<\/h3>\n<table>\n<tbody>\n<tr>\n<td width=\"150\"><strong>Tactic<\/strong><\/td>\n<td width=\"150\"><strong>Technique<\/strong><\/td>\n<td width=\"150\"><strong>Description<\/strong><\/td>\n<td width=\"150\"><strong>Observable<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Resource Development<\/td>\n<td width=\"150\">Stage Capabilities: Upload Malware (T1608.001<\/td>\n<td width=\"150\">Bitter is using legitimate webhosting services to stage malware<\/td>\n<td width=\"150\">Hosters: HostSailor, Namecheap<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Initial Access<\/td>\n<td width=\"150\">Phishing: Spearphishing Attachment (T1566.001)<\/td>\n<td width=\"150\">Bitter is distributing malicious Microsoft Office documents with military \/ naval lures<\/td>\n<td width=\"150\">Filename: Repair of different csoc cstc, china supplied system &#8211; BNS BIJOY.xlsx<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Execution<\/td>\n<td width=\"150\">Exploitation for Client Execution (T1203)<\/td>\n<td width=\"150\">Exploitation of the Microsoft Office Equation Editor via a Memory Corruption (CVE-2018-0798)<\/td>\n<td width=\"150\">OLE file with stream named: Equation Native<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h3>Intermediate Stage &#8211; Downloading additional tooling<\/h3>\n<table>\n<tbody>\n<tr>\n<td width=\"85\"><strong>Tactic<\/strong><\/td>\n<td width=\"85\"><strong>Technique<\/strong><\/td>\n<td width=\"123\"><strong>Description<\/strong><\/td>\n<td width=\"308\"><strong>Observable<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Defense Evasion<\/td>\n<td width=\"85\">Obfuscated Files or Information (T1027)<\/td>\n<td width=\"123\">Important strings in ZxxZ\/MuuyDownloader executables are XOR encrypted<\/td>\n<td width=\"308\">Example string: vSCbLAsUGPVbnCW<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Reconnaissance<\/td>\n<td width=\"85\">Gather Victim Host Information: Software (T1592.002)<\/td>\n<td width=\"123\">ZxxZ\/MuuyDownloader fingerprints the attacked system<\/td>\n<td width=\"308\">Requested URL: hxxp:\/\/m.huandocimama[.]com\/JvQKLsTYuMe\/xAexyBbnDxW\/profiles.php?profiles=&lt;USERNAME_HOSTNAME&gt;<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">Command and Control<\/td>\n<td width=\"85\">Ingress Tool Transfer (T1105)<\/td>\n<td width=\"123\">ZxxZ\/MuuyDownloader is capable of downloading files from the C2 onto the system<\/td>\n<td width=\"308\">Command: UPLOAD*filepath, File naming scheme: yyyyMMdd-hhmmss_filename<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><\/h2>\n<h3>Final stage \u2013 Espionage<\/h3>\n<table>\n<tbody>\n<tr>\n<td width=\"150\"><strong>Tactic<\/strong><\/td>\n<td width=\"150\"><strong>Technique<\/strong><\/td>\n<td width=\"150\"><strong>Description<\/strong><\/td>\n<td width=\"150\"><strong>Observable<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Defense Evasion<\/td>\n<td width=\"150\">Obfuscated Files or Information (T1027)<\/td>\n<td width=\"150\">Important strings in Almond RAT executables are encrypted using AES-CBC<\/td>\n<td width=\"150\">Encrypted: 4CjJPGsn5qweV7CEMgTzXtD\/2oxaXj\/Cddgsjl8tJGU=, Decrypted: 64.44.131.109<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Reconnaissance<\/td>\n<td width=\"150\">Gather Victim Host Information: Software (T1592.002)<\/td>\n<td width=\"150\">Almond RAT fingerprints the attacked system<\/td>\n<td width=\"150\">Generated Fingerprint: HOSTNAME*MAC_ADDRESS*OS_VERSION<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Command and Control<\/td>\n<td width=\"150\">Non-Standard Port (T1571)<\/td>\n<td width=\"150\">Almond RAT communicates with the C2 via a non-standard port<\/td>\n<td width=\"150\">Network port: 33638\/tcp<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Command and Control<\/td>\n<td width=\"150\">Ingress Tool Transfer (T1105)<\/td>\n<td width=\"150\">Almond RAT is capable of downloading files from the C2 onto the system<\/td>\n<td width=\"150\">Command: UPLOAD*filepath, Network Port: 33638\/tcp<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Exfiltration<\/td>\n<td width=\"150\">Exfiltration over C2 Channel (T1041)<\/td>\n<td width=\"150\">Almond RAT is capable of uploading accessible files from the system to a C2 server<\/td>\n<td width=\"150\">Command: DOWNLOAD*filepath, Network Port: 33638\/tcp<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Exfiltration<\/td>\n<td width=\"150\">Data Transfer Size Limits (T1030)<\/td>\n<td width=\"150\">Almond RAT is using a 1024 byte buffer for C2 communication and Exfiltration<\/td>\n<td width=\"150\">Network buffer: 1024 bytes<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Discovery<\/td>\n<td width=\"150\">File and Directory Discovery (T1083)<\/td>\n<td width=\"150\">Almond RAT is capable of enumerating directories and files<\/td>\n<td width=\"150\">Command: DIR*<\/td>\n<\/tr>\n<tr>\n<td width=\"150\">Impact<\/td>\n<td width=\"150\">Data Destruction (T1485)<\/td>\n<td width=\"150\">Almond RAT is capable of deleting accessible files on the system<\/td>\n<td width=\"150\">Command: DELETE*filepath<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p style=\"font-weight: 400;\"><div class=\"fazit\"><\/p>\n<h2 style=\"font-weight: 400;\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"font-weight: 400;\">The Bitter threat group is continues to use their exploitation approach in Asia with themed lures and internal changes to avoid existing detections. To protect from such attacks network and endpoint detection and response measures should be put into place and commonly exploited software like Microsoft Office should be patched regularly. We will continue to monitor this threat group and report on changes in their Tactics, Techniques and Procedures. <\/div><\/p>\n<p><strong>Thank you for taking the time to read our analysis report! If you would like to stay up to date with our research consider following us on <a  href=\"https:\/\/twitter.com\/SI_FalconTeam\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Twitter<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The SECUINFRA Falcon Team analyzed a recent attack conducted by the south-Asian Advanced Persistent Threat group \u201eBitter\u201c. <\/p>\n","protected":false},"author":6,"featured_media":30128,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84,104,81],"tags":[241,242,243,240],"dpc_coauthors":[],"class_list":["post-29940","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-defense","category-network","category-techtalk","tag-analysis","tag-apt","tag-bitter","tag-malware"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/29940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=29940"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/29940\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/30128"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=29940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=29940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=29940"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=29940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}