Bitter (T-APT-17) continues to target Bangladesh, employing a multi-stage infection chain beginning with an Excel Maldoc that exploits CVE-2018-0798 to drop additional payloads. The operation culminates in Almond RAT, a .NET-based backdoor that uses AES-CBC encryption and a custom C2 protocol over a non-standard port. #Bitter #T-APT-17 #AlmondRAT #ZxxZ #MuuyDownloader #Bangladesh
Keypoints
- Bitter (T-APT-17) targets in Bangladesh via spearphishing Excel documents carrying Equation Editor exploits.
- The Maldoc drop triggers a second-stage Loader that gathers system info and fetches a third-stage payload.
- Third-stage payloads include loaders, keyloggers, stealers, or RATs; Almond RAT is a newer identified variant.
- ZxxZ/MuuyDownloader acts as a second-stage downloader, using XOR-obfuscated strings and contacting a C2 to fetch the next stage.
- Almond RAT features AES-CBC encrypted strings, a mutex-based single-instance check, and a broad C2 protocol (commands like DOWNLOAD, UPLOAD, DIR, DELETE).
- The infrastructure uses multiple staging and C2 domains (e.g., emshedulersvc[.]com, huandocimama[.]com) and IPs, with typosquats such as spurshipbroker[.]com observed.
MITRE Techniques
- [T1566.001] Phishing with Spearphishing Attachment β The campaign distributed malicious Microsoft Office documents with military/naval lures. βThe sample of the malicious Excel documentβ¦ was likely distributed via a spearphishing emailβ
- [T1203] Exploitation for Client Execution β The Equation Editor exploit CVE-2018-0798 is used to execute next-stage payloads. βEquation Editor exploit, which we identified as CVE-2018-0798β
- [T1027] Obfuscated Files or Information β Important strings in ZxxZ/MuuyDownloader are XOR encrypted.
- [T1592.002] Gather Victim Host Information: Software β ZxxZ/MuuyDownloader fingerprints the attacked system.
- [T1105] Ingress Tool Transfer β ZxxZ/MuuyDownloader can download files from the C2 onto the system.
- [T1571] Non-Standard Port β Almond RAT communicates with the C2 over a non-standard port: 33638/tcp.
- [T1041] Exfiltration Over C2 Channel β Almond RAT is capable of uploading accessible files from the system to a C2 server via the channel.
- [T1083] File and Directory Discovery β Almond RAT can enumerate directories/files with DIR commands.
- [T1485] Data Destruction β Almond RAT can delete accessible files on the system with DELETE* commands.
Indicators of Compromise
- [Domain] staging and C2 domains β emshedulersvc[.]com (ZxxZ downloader), huandocimama[.]com (ZxxZ downloader/C2), diyefosterfeeds[.]com (third-stage), spurshipbroker[.]com (typosquat related domain)
- [IP Address] network hosts observed β 91.195.240[.]103, 194.36.191[.]196, 162.0.232[.]109, 64.44.131[.]109
- [File hash] Maldoc identifiers β MD5: 1bf615946ad9ea7b5a282a8529641bf6; SHA256: bc03923e3cc2895893571068fd20dd0bc626764d06a009b91dac27982e40a085
- [File hash] ZxxZ/MuuyDownloader β MD5: 6e4b4eb701f3410ebfb5925db32b25dc; SHA256: 91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42
- [File hash] Almond RAT β MD5: 71e1cfb5e5a515cea2c3537b78325abf; SHA256: 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
- [File hash] Modified assembly with decrypted strings β MD5: d58e6f93bd1eb81eacc965d530709246; SHA256: d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691
- [Mutex] Almond RAT single-instance indicator β saebamini.com SingletonApp