# Malware analysis on Bitter APT campaign (31-08-19) ## Table of Contents * [Malware analysis](#Malware-analysis) + [Initial vector](#Initial-vector) * [Cyber Threat Intel](#Cyber-Threat-Intel) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Link Anyrun](#Links-Anyrun) + [Documents](#Documents) ## Malware-analysis ### Initial vector ###### Use a document with a remote template injection as initial vector. This download the ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/Extref.png "") ### Cyber kill chain ###### This process graph represents the cyber kill chain of Bitter sample. ### Cyber Threat Intel ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | |Execution|T1059 - Command-Line Interface
T1106 - Execution through API
T1170 - Mshta
T1086 - PowerShell
T1053 - Scheduled Task
T1064 - Scripting
T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1086
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064
https://attack.mitre.org/techniques/T1059| |Persistence|T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053| |Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053| |Defense Evasion|T1170 - Mshta
T1064 - Scripting|https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064| |Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081| |Collection|T1113 - Screen Capture
T1114 - Email Collection|https://attack.mitre.org/techniques/T1113
https://attack.mitre.org/techniques/T1114| ## Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------| |IMG76329797.xls|e66181155a9cd827def409135334ecf173459e001e79853e1b38f2b8e5d8cc59| |Inj.dll|84833991F1705A01A11149C9D037C8379A9C2D463DC30A2FEC27BFA52D218FA6| |mse60dc.exe|de314d038d9b0f8ff32cfe3391c4eec53a3e453297978e46c9b90df2542ed592| |bitly.com|domain requested| |xaasxasxasx.blogspot.com|domain requested| |resources.blogblog.com domain requested| |pastebin.com domain requested| |67.199.248.14|ip requested| |67.199.248.15|ip requested| |104.20.208.21|ip requested| |http[:]//www[.]bitly[.]com/aswoesx8sxwxxd |HTTP/HTTPS requests| |https[:]//pastebin[.]com/raw/rjfk3j9m |HTTP/HTTPS requests| |https[:]///pastebin[.]com/raw/tgP7S1Qe |HTTP/HTTPS requests| |https[:]//pastebin[.]com/raw/0rhAppFq |HTTP/HTTPS requests| |https[:]//pastebin[.]com/raw/c3V923PW |HTTP/HTTPS requests| |https[:]//pastebin[.]com/raw/VFUXDF7C |HTTP/HTTPS requests| |http[:]//www[.]ichoubyou[.]net/ao/?3f9L=Lo3E2+YBaBWDL2bUvw2B2SYfQBwPkMAIH1i2HT9ocxT5reT2XuVh6G9ligbLGsBAAwhLuQ==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests| |http[:]//www[.]grupomsi[.]com/ao/?3f9L=Kbq++Y0aAgDxGCx7fxZFucXlrMdtuSyVttVG37Ejsga78k8ZP/EpUCryDr6PmBWAbaydAw==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests| |http[:]//www[.]grupomsi[.]com/ao/ |HTTP/HTTPS requests| |http[:]//www[.]theaterloops[.]com/ao/?3f9L=M0MA2fUiqMbVb6H3GNVaAqJS8mhIciwdMXRISKDsKJcWUJLkZY1j+YIFBEd9s0Uz5tYaIQ==&BbBX=LhTpETx8Zdn&sql=1 |HTTP/HTTPS requests| |http[:]//www[.]theaterloops[.]com/ao/ |HTTP/HTTPS requests| |http[:]//www[.]sukfat[.]com/ao/ |HTTP/HTTPS requests| |http[:]//www[.]sukfat[.]com/ao/?3f9L=i08SS1jJNzlL2PYEM5jjY78DODQHD8SSq/VJ1wVBwRJ7J5CmvaFz3C5neJ7p21NB5nPOdg==&BbBX=LhTpETx8Zdn |HTTP/HTTPS requests| |www[.]hongmenwenhua[.]com |Domain C2| |www[.]ichoubyou[.]net |Domain C2| |www[.]grupomsi[.]com |Domain C2| |www[.]sukfat[.]com |Domain C2| |www[.]theaterloops[.]com |Domain C2| |210.188.195.164|IP C2| |23.20.239.12|IP C2| |185.68.16.122|IP C2| |199.192.23.220|IP C2| ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/IOC_Gorgon_25-08-19.json) ## Links * Original tweet: https://twitter.com/RedDrip7/status/1164855381052416002 * Anyrun Link: + [Urgent Action.docx](https://app.any.run/tasks/27a486be-50cc-4c75-ac00-b5009582d4ff) + [inj2.exe](https://app.any.run/tasks/d7365b93-470c-4e2e-bc6d-5e43c711d72e) * Docs : + [Gorgon analysis by Unit42](https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/) + [The Evolution of Aggah: From Roma225 to the RG Campaign ](https://securityaffairs.co/wordpress/89502/malware/evolution-aggah-roma225-campaign.html) + [Frombook analysis from cyberbit (June 2019)](https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/)