Also called T-APT-17, the Bitter APT group is suspected to be a state-sponsored APT group targeting countries such as Saudi Arabia, China, and Pakistan. This group was first discovered by Forcepoint Security Labs and has been active since 2013 with targets including the Energy, Engineering, and Government sectors.
The Bitter APT group primarily uses tools such as ArtraDownloader and BitterRAT, along with techniques like Spear phishing emails, targeting its victims by exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) payload.
Recently, researchers found that the Bitter APT group was exploiting a zero-day vulnerability in the Windows 10 64-bit operating system, in the wild. This vulnerability also affects the latest version of the Windows 10 operating system, such as Windows10 20H2 64-bits. The vulnerability CVE-2021-1732 has been fixed in the February 2021 security update by the Microsoft Security Response Center (MSRC).
When the exploit sample runs on the latest Windows10 1909 64-bits environment, the sample is initially executed with a medium integrity level, and after exploitation, it runs with the system integrity level. As shown in the figure below, the current process token has been replaced with the system process token, which is a common kernel privilege escalation method.
This zero-day vulnerability CVE-2021-1732 is a kernel-level privilege escalation vulnerability in win32kfull.sys with high risk, and the exploit payload is also sophisticated. This indicates the advanced capabilities of APT groups and highlights the strong vulnerability skillset of hackers.
In this blog, we will be covering the technical analysis of the recent Bitter payload in detail. Currently, the Bitter APT group is targeting China with its zero-day campaign.
Technical analysis:
This CVE-2021-1732 vulnerability is a result of the ClientAllocWindowClassExtraBytes callback in win32kfull!CreateWindowEx, and this callback causes the setting of a kernel struct member and flag to be out of sync.
The ClientAllocWindowClassExtraBytes function triggers a callback when CreateWindowEx API creates a window with a WndExtra area. This callback will return with the user mode handle to allocate WndExtra area. The attacker calls the NtUserConsoleControl and passes this handle of current window in the custom callback, and this changes a kernel struct member to offset and its flag indicates the member as an offset. After that, the NtCallbackReturn is called by the attacker, and it returns an arbitrary value. When this kernel callback ends and returns to the kernel mode, the return value overwrites the previous offset member, but the corresponding flag is not cleared. This unchecked offset value is used by the kernel code for heap memory addressing, causing out-of-bounds access.
The image below showcases out-of-bound access in the wild exploit sample.
The ITW exploit also enumerates through system processes to detect the security software such as “avp.exe”. For example, it tries to detect the “avp.exe” process associated with the Kaspersky Antivirus Software.
The payload sample for analysis was found in the wild in VT, and the Shadow Chaser Group shared the same with the hash: 3f45d49bdb6afceb670978cf98f5c2be. This payload is a self-extractor, and during runtime, it creates a decoy document “CICP Z9 name Letter dated December 2020.doc” and malicious payload named “dllhost.exe” in the following path: C:\intel\logs.
The image below depicts the payload dropped on the victims’ machine, along with the decoy document.
The “dllhost.exe” is a VC++ complied file with custom encrypted data and hash value of 25a16b0fca9acd71450e02a341064c8d. Upon execution, the malware payload decrypts all encrypted data, as show in the image below.
The Bitter APT payload creates a Semaphore object named “7t56yr54r” on the victim’s machine to mark its presence and control shared resources. The below debugger view showcases the invoking of the CreateSemaphoreA windows API by the payload file.
Further investigation of the sample showcases the execution of the decrypted file loaded in the dllhost.exe memory space during runtime, which has functions like collecting system information such as Computer Name, UserID, OS Version, and MachineGuid. The image below showcases the information gathering by the injected process in the memory.
Finally, the payload creates sockets using winsock2.0, and this is used to communicate with the command-and-control server through the HTTP GET request for downloading and executing additional payload on the victim’s machine. The Wireshark image below shows the C&C communication of the payload file.
As per our analysis of the C&C IP 82.221.136[.]27, it seems that it is hosted in Advania, Iceland, as shown below.
We did not observe any further payload delivered on the victim’s machines, as the C&C HTTP response was “76No file” at the time of our analysis.
Over the past years, security vendors have made considerable efforts to detect and protect APT attacks across cyberspace. In order to counter this, APT groups have started evolving their capabilities such as using zero-day exploits and other TTPs to stay undetected on the target.
The research team at Cyble is continuously monitoring to harvest the threat indicators/TTPs of emerging APTs in the wild to ensure that targeted organizations are well informed and proactively protected.
Security recommendations
- Ensure antivirus software is up-to-date.
- Search for existing signs of the indicated IOCs in your environment.
- Consider blocking or setting up detection for all URL and IP-based IOCs.
- Conduct periodic vulnerability assessment and ensure the immediate patching of open vulnerabilities.
- Exercise caution while opening attachments and links in emails.
Indicators of Compromise (IOCs):
| SHA-1 Hashes | Detail |
| 7b64a739836c6b436c179eac37c446fee5ba5abc6c96206cf8e454744a0cd5f2 | SFX sample CICP Z9 Letter dated December 2020.exe |
| 26b3c9a5077232c1bbb5c5b4fc5513e3e0b54a735c32ae90a6d6c1e1d7e4cc0f | Dllhost.exe |
| C&C IP: | |
| 82.221.136.27 | C&C IP |
| 27.136.221[.]82 | C&C IP |
| URL: | |
| hxxp://27.136.221[.]82.in-addr.arpa///RguhsT/accept.php?a= | Post communication URL |
| hxxp://82.221.136.27/// RguhsT/accept.php?a= | Post communication URL |
Yara Rule:
rule apt_bitter_win32k_0day
{
meta:
author = “dbappsecurity_lieying_lab”
data = “01-01-2021”
strings:
$s1 = “NtUserConsoleControl” ascii wide
$s2 = “NtCallbackReturn” ascii wide
$s3 = “CreateWindowEx” ascii wide $s4 = “SetWindowLong” ascii wide
$a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}
$a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1}
$a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}
condition:
uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
}
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
