# Malware analysis on Bitter APT campaign (31-08-19)
## Table of Contents
* [Malware analysis](#Malware-analysis)
+ [Initial vector](#Initial-vector)
+ [ArtraDownloader](#ArtraDownloader)
* [Cyber Threat Intel](#Cyber-Threat-Intel)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
+ [Original Tweet](#Original-Tweet)
+ [Link Anyrun](#Links-Anyrun)
+ [Documents](#Documents)
## Malware-analysis
### Initial vector
###### Use a document with a remote template injection as initial vector. This request http[:]//maq.com.pk/ for be redirected on the next URL.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Extref.png "")
###### This second URL (http[:]//maq.com.pk/wehsd) send a RTF exploit.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/HexRTF.png "")
###### This exploit execute firstly a request by WebDAV and after by WebClient service for download the backdoor on the final address (http[:]//maq.com.pk/wehs) and execute it.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/redirect.png "")
###### Here we can see the redirection and the data sended on the victim.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/trace.png "")
### ArtraDownloader
###### In the first, we can see some encoded string pushed on a function and the result is moved on another registry as storage for be used by the backdoor.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/str.png "")
###### In observing this function we can resume by the folowing algorithm used for decode these strings : for each byte of the string -> value of the byte -1 -> get Unicode value -> convert to char.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/dec.png "")
###### We can edit a script for decode the encoded string.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/algo.png "")
###### Now we can see the actions did by the malware.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/res.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/decstr.png "")
###### Once this done, we can see on the entrypoint, this use the startupinfo structure to specify window properties, verify the header of the PE and the get the environment values for create the process. The malware is coded in C++ language.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Entry.png "")
###### We can observe that the malware push the persistence in the startup menu.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/persistence.png "")
###### This query the registry for get the version of the OS
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "")
###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "")
###### After perform the reconnaissance actions, this send the informations to the C2
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "")
###### In additional capacity, this can send a query the C2
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "")
### Cyber kill chain
###### This process graph represents the cyber kill chain of Bitter sample.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Cyber.png "")
### Cyber Threat Intel
## References MITRE ATT&CK Matrix
###### List of all the references with MITRE ATT&CK Matrix
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Execution|T1059 - Command-Line Interface
T1106 - Execution through API
T1170 - Mshta
T1086 - PowerShell
T1053 - Scheduled Task
T1064 - Scripting
T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1086
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064
https://attack.mitre.org/techniques/T1059|
|Persistence|T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053|
|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
|Defense Evasion|T1170 - Mshta
T1064 - Scripting|https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064|
|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
|Collection|T1113 - Screen Capture
T1114 - Email Collection|https://attack.mitre.org/techniques/T1113
https://attack.mitre.org/techniques/T1114|
## Indicators Of Compromise (IOC)
###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description|
| ------------- |:-------------|
|IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59|
|Inj.dll|84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6|
|mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592|
|bitly.com|domain requested|
|xaasxasxasx.blogspot.com|domain requested|
|resources.blogblog.com domain requested|
|pastebin.com domain requested|
|67.199.248.14|ip requested|
|67.199.248.15|ip requested|
|104.20.208.21|ip requested|
|http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests|
|https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests|
|https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests|
|http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests|
|http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests|
|http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests|
|www[.]hongmenwenhua[.]com |Domain C2|
|www[.]ichoubyou[.]net |Domain C2|
|www[.]grupomsi[.]com |Domain C2|
|www[.]sukfat[.]com |Domain C2|
|www[.]theaterloops[.]com |Domain C2|
|210.188.195.164|IP C2|
|23.20.239.12|IP C2|
|185.68.16.122|IP C2|
|199.192.23.220|IP C2|
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json)
## Links
* Original tweet: https://twitter.com/RedDrip7/status/1164855381052416002
* Anyrun Link:
+ [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff)
+ [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e)
* Docs :
+ [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/)
+ [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html)
+ [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)