173.txt

Operation Monsoon Disclosures on APT-C-08 BITTERs Large-Scale Phishing Campaign  
APT-C-08 BITTER is a government-backed APT group originating from South Asia that has persistently conducted cyber espionage activities against neighboring countries in recent years. Its targets include governmental agencies, military-industrial complexes, academic institutions, and overseas representative organizations, making it one of the most active foreign APT groups targeting Chinese entities. Since July 2020, 360 Security Brain has detected BITTER's large-scale phishing campaign targeting South Asia. Through tracking by 360 Advanced Threat Research Institute, this operation was found to involve multiple organizations and government agencies in China and Pakistan, sustaining active attacks to date. The group continued its previous tactic of impersonating email systems while significantly escalating attack scale and frequency, delivering malicious payloads disguised as conference documents or software to key targets. Considering the monsoon season pattern (June-September) in South Asia, 360 researchers named this campaign "Operation Monsoon". This report provides comprehensive analysis of the attack. **Affected Industries** Analysis of phishing domain imitations reveals targeted sectors including government, education, and military-industrial organizations. Phishing domains showed peak activity during July-August 2020. **Attack Methodology** BITTER adopted a novel attack chain combining social engineering with credential harvesting: 1) Initial compromise of vulnerable email accounts through brute-force attacks or cloned email portals 2) Weaponizing compromised "seed" accounts to send tailored phishing emails to trusted contacts for lateral movement. Secondary attacks employed multiple vectors: - Fake attachment links redirecting to cloned email login pages - Meeting-themed lures distributing malicious Zoom installers - Malicious documents exploiting DDE vulnerabilities - EXE files disguised as PDF icons **Phishing Infrastructure** The group cloned legitimate email portals (e.g. 163邮箱, university portals) with high fidelity, modifying POST endpoints to harvest credentials. Phishing domains mimicked targets using hyphen-separated subdomains (mail-tsinghua-edu-cn.netlify.app vs legitimate mail.tsinghua.edu.cn). Attack infrastructure leveraged third-party services (000webhostapp.com, netlify.app) and French OVH-hosted domains (hhwebmail.com, system-e-mails.space). **Malicious Payloads** Two primary payload families were observed: 1) **Delphi-packed DarktrackRAT**: Delivered via ZIP archives containing decoy PDFs and "Revised" EXE files. Uses anti-analysis techniques including sandbox checks via process/registry enumeration and debugger detection. Persists via startup VBS scripts. Capabilities include file exfiltration, process manipulation, screen capture, webcam access, and credential theft from Chrome/Firefox. 2) **AsyncRAT**: Distributed through VB downloaders fetching payloads from authowawebmailgo.com. Employs VM detection and anti-sniffing checks for Fiddler/Wireshark. Uses .NET Reactor obfuscation and reflective loading of Pj.dll. Features include process injection, lateral movement via LNK files, and encrypted C2 communication. **Evolutionary Patterns** Recent samples show increased anti-analysis sophistication: - Transition from XOR to RC4 encryption in shellcode - Guard page exception handling (STATUS_GUARD_PAGE) for code execution - Continuous updates to bypass security products **Conclusion** APT-C-08 BITTER demonstrates persistent targeting of critical South Asian entities through socially-engineered phishing campaigns. 360 Advanced Threat Research Institute continues monitoring these activities, with detection coverage provided through 360 Threat Intelligence Cloud and APT Panorama Radar to protect enterprise networks.