SecurityWeek reports that China's nuclear energy sector has been subjected to a cyberespionage campaign by South Asian advanced persistent threat group Bitter.
Such a campaign involved phishing emails spoofing the Kyrgyzstan embassy in China that lured recipients into opening a RAR archive attachment with Excel or CHM payloads for persistence and additional malware retrieval, a report from Intezer revealed. Researchers found that Excel payloads facilitated the creation of scheduled tasks for next-stage EXE file deployment and payload execution, while the CHM files enabled arbitrary code execution. Bitter APT was also observed to have leveraged various files in the operation.
"Bitter APT does not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer," said Intezer.