Threat Research

Bitter Group Distributes CHM Malware to Chinese Organizations – ASEC BLOG

Securonix

The Bitter (T-APT-17) group has been distributing CHM-based malware to Chinese organizations via email attachments, continuing its pattern of targeting government-related entities using Microsoft Office workflows. The CHM payloads employ obfuscation to evade detection, load a malicious DLL through DLL side-loading, and connect to a command-and-control server to carry out additional malicious actions. #Bitter #TAPT17 #CHM #ChineseOrganizations #AhnLabASEC

Keypoints

  • The Bitter (T-APT-17) threat group, known for targeting South Asian government entities with Office-based malware, is now distributing CHM malware to Chinese organizations.
  • CHM attachments are delivered inside compressed email files with filenames such as “Project Plan 2023 .chm” and “Urgent passport enquiry of the following officials.docx.chm.”
  • Many CHM files open with an empty help window, while some display content referencing the United Front Work Department and related groups, indicating a tactic to appear credible.
  • The internal malicious CHM script is obfuscated to impede static analysis, especially the Click method that executes the linked shortcut object.
  • The attack chain downloads an MSI from two URLs, then uses DLL side-loading (OLMAPI32.dll) to execute a malicious DLL loaded by MicrosoftServices.exe for persistence.
  • The DLL collects system information (IP, system, and directory info) into c:UsersPubliccr.dat, creates a persistence task named “Microsoft Update,” and contacts a C2 server at msdata.ddns[.]net:443.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – “the compressed files contain a CHM file”
  • [T1059.001] PowerShell – “After decrypting obfuscated Powershell command”
  • [T1027.001] Obfuscated/Encrypted Files or Information – “the part of the script involving the Click method which executes the linked shortcut object is obfuscated… evades static diagnosis through obfuscation”
  • [T1574.002] DLL Side-Loading – “The DLL Side-Loading method (T1574.002) has been used.”
  • [T1053.005] Scheduled Task – “a task is created to maintain persistence which executes MicrosoftServices.exe under the name “Microsoft Update””
  • [T1105] Ingress Tool Transfer – “MSI file presumed to have been downloaded from the first URL has been collected.”
  • [T1071.001] Web Protocols – “connect to the following C2 server and can perform various malicious behaviors”

Indicators of Compromise

  • [Hash] context – 8b15c4a11df2deea9ad4699ece085a6f, cce89f4956a5c8b1bec82b21e371645b, and 2 more hashes
  • [URL] context – https://bluelotus.mail-gdrive[.]com/Services.msi, https://coauthcn[.]com/hbz.php?id=%computername%, and 0 more URLs
  • [Domain] context – msdata.ddns[.]net:443

Read more: https://asec.ahnlab.com/en/51043/