A cyber-espionage group identified as Bitter (APT-Q-37) is reportedly employing sophisticated techniques to infect the computers of high-value targets, primarily believed to be based in South Asia.
Bitter has established a lengthy history of compromising sensitive data, particularly from organizations within government, energy, and military sectors in nations like China and Pakistan. Recent findings from the Qi’anxin Threat Intelligence Centre have unveiled new methods employed by this group, aiming to introduce a C# backdoor capable of remotely executing additional malicious software on compromised systems.
New Infiltration Techniques
According to cybersecurity researchers, Bitter APT is leveraging at least two distinct strategies to facilitate the deployment of this backdoor, involving both a counterfeit conference file and a deceptive archive file.
Counterfeit Conference File Method
The first approach involves generating a specially crafted Microsoft Office file named Nominated Officials for Conference.xlam. Upon opening this file, if a user enables built-in macros, a fabricated error message indicating “File parsing failed, content corrupted,” is displayed, intended to mislead the victim. Behind the scenes, however, the macro covertly constructs the C# backdoor using local computing resources from the .NET framework, converting it to a functional program identified as vlcplayer.dll. Additionally, the attackers establish a scheduled task through an embedded script to maintain the backdoor’s presence, facilitating further communications with a designated web address linked to their operation.
Sophisticated Archive File Method
The second method is more insidious, utilizing a compressed RAR file that exploits an existing, unresolved vulnerability in WinRAR software, the specific details of which remain undisclosed. The malicious archive, labeled Provision of Information for Sectoral for AJK.rar, conceals an innocuous-looking Word document alongside a hidden and malevolent template file named Normal.dotm.
When extracted, this archive exploits the flaw, allowing Normal.dotm to overwrite the legitimate template file on the user’s system. Consequently, when the user opens any Word document, Word will load this tampered template, which initiates a connection to a remote server to execute the backdoor program known as winnsc.exe, mirroring the harmful functions of the initial method.
Common Objective: Data Theft
It is important to emphasize that both strategies ultimately install the same C# backdoor, which is designed to gather fundamental device information. Researchers indicate that the infrastructure associated with these attacks, including domain names registered earlier this year, strongly implicates the Bitter group as the perpetrator.
Researchers remarked that the two attacks use the same C# backdoor, and their communication channels point to a subdomain of esanojinjasvc.com, registered in April. This evidence suggests a common origin for the attack attempts. To mitigate potential threats, cybersecurity experts recommend that organizations remain vigilant with unknown email attachments, ensure timely updates to software like WinRAR, disable macros where unnecessary, monitor network traffic for unusual patterns, and utilize extensive security tools such as sandboxes for the safe inspection of untrusted files.
