A cyber-espionage group known as Bitter (APT-Q-37), widely thought to operate from South Asia, is using new, sneaky methods to install a malicious backdoor program on computers belonging to high-value targets.
This group has a long history of stealing sensitive information from organisations, especially those in the government, electric power, and military industries in countries like China and Pakistan.
The Qi’anxin Threat Intelligence Centre recently exposed these new attacks, which aim to deploy a single C# backdoor that can remotely download and run other harmful software (EXE files) on the victim’s machine.
Two New Ways to Sneak In
According to researchers, Bitter APT is using at least two different methods to deploy this backdoor, including a fake conference file and an archive file.
Fake Conference File (Mode 1)
The first method uses a special Microsoft Office file, in this case named Nominated Officials for the Conference.xlam. When the victim enables the built-in instructions (macros), a fake error message saying “File parsing failed, content corrupted,” is displayed to fool the user.
Meanwhile, the macro silently builds the C# backdoor code using local computer tools (like those from the .NET framework) to turn it into a working program (vlcplayer.dll). Furthermore, the attackers set up a scheduled task using a script to ensure the backdoor stays active on the computer, connecting to a web address associated with the group to retrieve more commands.
Tricky Archive File (Mode 2)
This is the sneakier method of the two, involving a compressed file (RAR archive) that exploits an older, unpatched flaw in the WinRAR software. This malicious RAR file (titled Provision of Information for Sectoral for AJK.rar) contains a harmless-looking Word file along with a hidden, malicious template file called Normal.dotm.
If a user extracts this archive, the flaw allows Normal.dotm to replace the real template file in their system. When the victim opens any Word document, the program loads the tampered template, which then connects to a remote server to run the final backdoor program (winnsc.exe), which performs the same harmful actions as the one in Mode 1.
Common Goal: Stealing Data
It is worth noting that both attacks ultimately install the same C# backdoor to collect basic device information. Researchers note that the infrastructure used in these two separate attacks, including domain names registered in April this year, strongly points to the Bitter group.
“The above two attacks ultimately use the same C# backdoor, and the C&C server of the backdoor communication points to the sub-domain of esanojinjasvc.com, which was registered in April this year, so we can assume that these samples come from the same attack group,” researchers noted in the blog post.
To stay safe, the Centre urges users to be very careful with unknown email attachments, keep software like WinRAR up to date, disable macros, monitor network traffic for suspicious activity, and use specialised tools like a sandbox to safely inspect untrusted files.
