BITTER, an APT group which has been active since 2015, has been observed ramping up their activity lately. In this post, I will review recent infrastructure that is actively being used by this APT, which is suspected of being used to carry out attacks against Pakistani organizations.
The BITTER APT group has notably been observed targeting Chinese and Pakistani interests in the past, and is suspected of being belonging to a country in South Asia. Recent reports from QiAnXin Technology’s “RedDrip” team, a Chinese security vendor, suggest that the BITTER APT group is actively launching attacks targeting Pakistani organizations. According to this Tweet, they are seeing malicious documents causing users to download payloads from maq.com.pk/wehs, which looks to be ArtraDownloader. ArtraDownloader is a Trojan Downloader that was discovered by PaloAlto’s UNIT42, and has also been observed downloading BitterRAT Remote Access Trojan, both of which have been associated with BITTER APT groups operations.
Researching for activity related to ArtraDownloader on App.Any.Run reveals numerous examples of malicious Microsoft Word documents exploiting the CVE-2017-11882 vulnerability to download an executable payload from the aforementioned URL identified by RedDrip (maq.com.pk). CVE-2017-11882, which was patched by Microsoft in November of 2017, is a memory corruption vulnerability which grants the attacker RCE (remote code execution) upon the user opening a specially crafted file (see here for the Microsoft advisory). These Any.Run analyses indicate that, after exploitation and download of the ArtraDownloader from maq.com.pk, there is Command & Control activity beaconing to the URL onlinejohnline99.org/kvs06v.php.
Pivoting off of Any.Run and into VirusTotal we can see that onlinejohnline99.org appears to be the Command & Control for several binaries, which are actively being distributed from several undiscovered domains. We already know about maq.com.pk, however because of VirusTotal’s relational graphing abilities, we are able to see that these binaries are also being served from biocons.pk, gandharaart.org, and sartetextile.com. One thing of interest, however notable, is all of the domains delivering these binaries are hosted by the same ISP (COMSATS, a Pakistani ISP). Digging deeper into the IP addresses hosting these domains (126.96.36.199, 188.8.131.52, 184.108.40.206, and 220.127.116.11) revealed that they were only hosting a very limited amount of domains, many of which appeared to be very suspect in naming convention or content. While these were suspicious, I could not directly relate them to BITTER APT activity at this time.
Analysis of the discovered binaries confirm them to be ArtraDownloader samples, with variations in naming and hash values (such as intelx.exe, lsasw.exe, advrt.exe, wehs.exe, reportstableregular.doc.exe, and more). I won’t go into details surrounding the actual analysis of the malware samples as PaloAlto’s UNIT42 has already gone over this at length in their article found here and the binaries I reviewed do not appear to differ significantly from what was described in their write-up. All of the samples I reviewed utilized onlinejohnline99.org as their primary Command & Control infrastructure, with the exception of one sample which instead beaconed to the domain advas.zhongwenchuantongqiye.com, which was documented as being related to BITTER operations targeting the Chinese government in May of 2019 by 360-CERT.
The Command & Control communications are typical for what we would see from ArtraDownloader, with all of the samples performing HTTP POST requests to their respective Command & Control domains with differing .php URI structures.
Various strings within these samples are obfuscated by adding or subtracting from each byte within a string, and the data being POST’d to these C2 servers is no exception. In order to decode this data, you can use the following Python script provided by UNIT42 in their analysis of the downloader.
def decode(data): out = "" for d in data: out += chr(ord(d)-1) return out print(decode("your obfuscated data here"))
Once you have deobfuscated the data, you’ll quickly see that it contains the typical identifying information that is obtained during initial infections, such as hostname, Windows version, username, unique identifier, and a Boolean value indicating if the second stage payload was downloaded and executed successfully.
|UME||Windows Version||Windows 7 Professional|
|st||Boolean value indicating if the second stage payload was downloaded and executed successfully||0|
|advas.zhongwenchuantongqiye.com/Mcx2svc.php||URL||URL for ArtraDownloader C2|
|onlinejohnline99.org/ms2u1p.php||URL||URL for ArtraDownloader C2|
|onlinejohnline99.org/kvs06v.php||URL||URL for ArtraDownloader C2|
|onlinejohnline99.org/index.htm||URL||URL for ArtraDownloader C2|
|onlinejohnline99.org/lax05u.php||URL||URL for ArtraDownloader C2|
|gandharaart.org/news/lsasw||URL||URL delivering ArtraDownloader|
|gandharaart.org/images/advrt||URL||URL delivering ArtraDownloader|
|biocons.pk/ReportsTableRegular.doc.exe||URL||URL delivering ArtraDownloader|
|sartetextile.com/news/pq||URL||URL delivering ArtraDownloader|
|sartetextile.com/demo/suo||URL||URL delivering ArtraDownloader|
|sartetextile.com/news/ctf||URL||URL delivering ArtraDownloader|
|maq.com.pk/wehs||URL||URL delivering ArtraDownloader|
|72eb6896fa9326f38d3745cc442611dc||MD5||ArtraDownloader hash for advrt.exe obtained from gandharaart.org|
|66b3039067e4f7b8ad1b3166b5dbcacf||MD5||ArtraDownloader hash for advrt.exe obtained from gandharaart.org|
|eec2828cb4a9032ab1177bb472f1977b||MD5||ArtraDownloader hash for lsasw.exe obtained from gandharaart.org and biocons.pk|
|73c297f059dd94671ca4e4c7dbfa6241||MD5||ArtraDownloader hash for wehs.exe obtained from maq.com.pk|
|3964665ec90decc41c7c38b42c5a7ce7||MD5||ArtraDownloader hash for suo.exe obtained from sartetextile.com|
|eec2828cb4a9032ab1177bb472f1977b||MD5||ArtraDownloader hash for ctf.exe obtained from sartetextile.com|