Bitter Group Distributes CHM Malware to Chinese Organizations – ASEC BLOG

The Bitter (T-APT-17) group is a threat group that usually targets South Asian government organizations, using Microsoft Office programs to distribute malware such as Word or Excel. AhnLab Security Emergency response Center (ASEC) has identified multiple circumstances of the group distributing CHM malware to certain Chinese organizations. CHM files have been used by various threat groups in APT attacks since earlier this year and covered multiple times in ASEC blog posts.

The files used in the recent attack were being distributed as attachments to emails as compressed files. The compressed files contain a CHM file with the following filenames.

  • Filenames used in distribution
    Project Plan 2023 .chm
    Urgent passport enquiry of the following officials.docx.chm
    SUSPECTED      FOREIGN TERRORIST FIGHTERS.chm
    Forensic Evidence on Crime Scene.chm
    Patches updates.chm
    Ticktes.chm
    KC_16.11.chm

When CHM files are executed, most generate an empty help window, but some display content related to the “United Front Work Department of the Central Committee of the Chinese Communist Party” and “Russian-Chinese Committee for Friendship, Peace and Development.”

Screen when the CHM file is opened (1)
Screen when the CHM file is opened (2)

The internal malicious script identified in such CHM files is as follows. It is difficult for users to be aware of how the malicious script operates. A common characteristic of this script is that the part of the script involving the Click method which executes the linked shortcut object is obfuscated. Unlike CHM files covered in the past, this version seems to evade static diagnosis through obfuscation.

Malicious script type (1)
Malicious script type (2)
Malicious script type (2) – After decrypting obfuscated Powershell command

When the script is executed, both types create a task that executes the malicious command. Each malicious command connects to their respective URL address below and executes an additional malicious file. Both of the following URLs are currently unavailable, but an MSI file presumed to have been downloaded from the first URL has been collected.

  • hxxps://bluelotus.mail-gdrive[.]com/Services.msi
  • hxxps://coauthcn[.]com/hbz.php?id=%computername%

Upon execution, the MSI file generates a normal exe file and a malicious DLL file before executing the former. Generated files are shown below. When MicrosoftServices.exe is executed, OLMAPI32.dll is loaded. The loaded DLL is the malicious file created by the threat actor. The DLL Side-Loading method (T1574.002) has been used.

Files used for DLL Side-Loading

The features of the loaded malicious DLL are as follows. First, it collects user information through the following commands and saves it in “c:UsersPubliccr.dat”.

  • IP Info
    cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com>> c:UsersPubliccr.dat
  • System Info
    cmd.exe /c systeminfo>> c:UsersPubliccr.dat
  • Directory Info
    cmd.exe /c dir “%userprofile%Documents”>> c:UsersPubliccr.dat
    cmd.exe /c dir “%userprofile%Desktop”>> c:UsersPubliccr.dat
    cmd.exe /c dir “%userprofile%Downloads”>> c:UsersPubliccr.dat

Afterward, a task is created to maintain persistence which executes MicrosoftServices.exe under the name “Microsoft Update.”

Task Scheduler

Additionally, it attempts to connect to the following C2 server and can perform various malicious behaviors following commands from the threat actor.

  • msdata.ddns[.]net:443

Recently there has been a rise in attacks using CHM files both in Korea and overseas, and this file format is being used for various malware. Users must carefully check the senders of emails and refrain from opening files from unknown sources. They should also perform routine PC checks and always keep their security products updated to the latest version.

[File Detection]
Trojan/Win.Generic.R560734 (2023.03.04.03)
Dropper/CHM.Generic (2023.03.30.00)
Dropper/MSI.Generic (2023.04.04.03)

[IOC]
8b15c4a11df2deea9ad4699ece085a6f
cce89f4956a5c8b1bec82b21e371645b
a7e8d75eae4f1cb343745d9dd394a154
09a9e1b03f7d7de4340bc5f9e656b798
hxxps://bluelotus.mail-gdrive[.]com/Services.msi
hxxps://coauthcn[.]com/hbz.php?id=%computername%
msdata.ddns[.]net:443

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/51043/