A South Asian advanced persistent threat (APT) actor known as ‘Bitter’ has been targeting the nuclear energy sector in China. Intezer reported that the group is active since at least 2021 and has been known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.
In recent cyberespionage campaigns, the Bitter APT used updated first-stage payloads, added an extra layer of obfuscation, and employed additional decoys for social engineering. The group targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.
The recipients were lured into downloading and opening an attached RAR archive containing CHM or Excel payloads designed to achieve persistence and fetch additional malware from the command-and-control (C&C) server. The Excel payloads contained an Equation Editor exploit designed to set a scheduled task to download a next-stage EXE file, and another task to execute the payload. The CHM files, on the other hand, can be used to simply execute arbitrary code with low user interaction.
Intezer reported that the Bitter APT has been consistently using similar tactics and payloads, and is likely to have been equipped with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer.
In conclusion, the Bitter APT actor has been actively targeting the nuclear energy sector in China with phishing campaigns, exploiting updated first-stage payloads and additional decoys for social engineering. The group has been using Excel exploits, CHM and MSI files, as well as plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer.
Key Points:
- South Asian advanced persistent threat (APT) actor ‘Bitter’ is targeting the nuclear energy sector in China.
- The group is active since at least 2021 and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.
- The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China.
- The group has been consistently using similar tactics and payloads, and is likely to have been equipped with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer.