# 09/06/2019 - BITTER APT: Not So Sweet **[meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html](https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html)** MeltX0R Security September 6, 2019 ## Summary BITTER, an APT group which has been active since 2015, has been observed ramping up their activity lately. In this post, I will review recent infrastructure that is actively being used by this APT, which is suspected of being used to carry out attacks against Pakistani organizations. ## Analysis The BITTER APT group has notably been observed targeting Chinese and Pakistani interests in the past, and is suspected of being belonging to a country in South Asia. Recent reports from QiAnXin Technology’s “RedDrip” team, a Chinese security vendor, suggest that the BITTER APT group is actively launching attacks targeting Pakistani organizations. According to this, they are seeing malicious documents causing users to download payloads from maq.com.pk/wehs, which looks to be ArtraDownloader. ArtraDownloader is a Trojan Downloader that was discovered by PaloAlto’s UNIT42, and has also been observed downloading BitterRAT Remote Access Trojan, both of which have been associated with BITTER APT groups operations. Researching for activity related to ArtraDownloader on App.Any.Run reveals numerous examples of malicious Microsoft Word documents exploiting the CVE-2017-11882 vulnerability to download an executable payload from the aforementioned URL identified by RedDrip (maq.com.pk). CVE2017-11882, which was patched by Microsoft in November of 2017, is a memory corruption vulnerability which grants the attacker RCE (remote code execution) upon the user opening a [specially crafted file (see here for the Microsoft advisory). These Any.Run analyses indicate that,](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882) after exploitation and download of the ArtraDownloader from maq.com.pk, there is Command & Control activity beaconing to the URL onlinejohnline99.org/kvs06v.php. Shown above: App.Any.Run samples of ArtraDownloader Pivoting off of Any.Run and into VirusTotal we can see that onlinejohnline99.org appears to be the Command & Control for several binaries, which are actively being distributed from several ----- relational graphing abilities, we are able to see that these binaries are also being served from _biocons.pk, gandharaart.org, and sartetextile.com. One thing of interest, however notable, is all of_ the domains delivering these binaries are hosted by the same ISP (COMSATS, a Pakistani ISP). Digging deeper into the IP addresses hosting these domains (203.124.44.31, 203.124.44.66, _203.124.44.93, and 203.124.43.227) revealed that they were only hosting a very limited amount_ of domains, many of which appeared to be very suspect in naming convention or content. While these were suspicious, I could not directly relate them to BITTER APT activity at this time. Shown above: VirusTotal Graph of this campaign’s infrastructure Analysis of the discovered binaries confirm them to be ArtraDownloader samples, with variations in naming and hash values (such as intelx.exe, lsasw.exe, advrt.exe, wehs.exe, reportstableregular.doc.exe, and more). I won’t go into details surrounding the actual analysis of the malware samples as PaloAlto’s UNIT42 has already gone over this at length in their article [found here and the binaries I reviewed do not appear to differ significantly from what was](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/) described in their write-up. All of the samples I reviewed utilized onlinejohnline99.org as their primary Command & Control infrastructure, with the exception of one sample which instead beaconed to the domain advas.zhongwenchuantongqiye.com, which was documented as being related to BITTER operations targeting the Chinese government in May of 2019 by 360-CERT. The Command & Control communications are typical for what we would see from ArtraDownloader with all of the samples performing HTTP POST requests to their respective ----- Shown above: Packet capture of ArtraDownloader C2 Various strings within these samples are obfuscated by adding or subtracting from each byte within a string, and the data being POST’d to these C2 servers is no exception. In order to decode this data, you can use the following Python script provided by UNIT42 in their analysis of the downloader. def decode(data): out = "" for d in data: out += chr(ord(d)-1) return out (decode("your obfuscated data here")) Once you have deobfuscated the data, you’ll quickly see that it contains the typical identifying information that is obtained during initial infections, such as hostname, Windows version, username, unique identifier, and a Boolean value indicating if the second stage payload was downloaded and executed successfully. **Vari‐** **Description** **Decoded** ----- UME Windows Version Windows 7 Professional OPQ Username admin IVR Unique Identifier USER-PC##admin@@00371461-2203502-85564 st Boolean value indicating if the second stage payload was downloaded and executed successfully 0 During my analysis, I was unable to obtain a second stage payload to further examine the BITTER APT infrastructure. However the additional payload would likely have been the BitterRAT Remote Access Trojan, which is routinely distributed by ArtraDownloader variants. Once installed, the BITTER actors could then pivot and perform various other action on objectives. At this time, the motives of this group is unknown, however it is likely that this campaign is in pursuit of some form of espionage due to the reports of them being backed by a south Asian country (some reports indicate India). Based on much of the infrastructure observed being hosted in Pakistan, I would agree with the initial suspicion that Pakistan is being targeted in these attacks. This would also further reaffirm the possible Indian attribution to BITTER APT, due to the long-running unrest regarding the Kashmir territorial conflict between India and Pakistan over the Kashmir region. ## Indicators **Indicator** **Type** **Description** advas.zhongwenchuantongqiye.com/Mcx2svc.php URL URL for ArtraDownloader C2 onlinejohnline99.org/ms2u1p.php URL URL for ArtraDownloader C2 onlinejohnline99.org/kvs06v.php URL URL for ArtraDownloader C2 onlinejohnline99.org/index.htm URL URL for ArtraDownloader C2 onlinejohnline99.org/lax05u.php URL URL for ArtraDownloader C2 gandharaart.org/news/lsasw URL URL delivering ArtraDownloader gandharaart.org/images/advrt URL URL delivering ArtraDownloader biocons.pk/ReportsTableRegular.doc.exe URL URL delivering ArtraDownloader sartetextile.com/news/pq URL URL delivering ArtraDownloader sartetextile.com/demo/suo URL URL delivering ArtraDownloader sartetextile.com/news/ctf URL URL delivering ArtraDownloader maq.com.pk/wehs URL URL delivering ArtraDownloader 72eb6896fa9326f38d3745cc442611dc MD5 ArtraDownloader hash for advrt.exe obtained from gandharaart.org 66b3039067e4f7b8ad1b3166b5dbcacf MD5 ArtraDownloader hash for advrt.exe obtained from gandharaart.org ----- 73c297f059dd94671ca4e4c7dbfa6241 MD5 ArtraDownloader hash for wehs.exe obtained from maq.com.pk 3964665ec90decc41c7c38b42c5a7ce7 MD5 ArtraDownloader hash for suo.exe ob‐ tained from sartetextile.com eec2828cb4a9032ab1177bb472f1977b MD5 ArtraDownloader hash for ctf.exe ob‐ tained from sartetextile.com ## References/Further Reading 1. https://en.wikipedia.org/wiki/Kashmir_conflict 2. https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to target-pakistan/ 3. https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of china-and-chinese-organizations 4. https://cert.360.cn/report/detail?id=137867e159331b7a968aa45050502d13 5. https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/ 6. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 7. https://twitter.com/RedDrip7/status/1164855381052416002 -----