bitter group

Bitter group launches cyber attack using Windows kernel zero-day(CVE-2021-1732)

Introducing

The Bitter group, also known as T--17, is suspected to be a state-sponsored hacking group that targets Saudi Arabia, China and Pakistan. Originally discovered by Forcepoint researchers, the group has been active since 2013 and its targets include energy, research institutions, engineering and government sectors.

The group primarily uses such as ArtraDownloader and BitterRAT, as well as techniques such as spear- emails, to attack targeted users by exploiting known vulnerabilities to load remote access Trojans (RATs).

Recently, Chinese researchers discovered that the Bitter group is frantically exploiting a vulnerability in the Windows 10 64-bit operating system. This vulnerability also affects the latest versions of the Windows 10 operating system, such as Windows 10 20H2 64-bit. Microsoft Security Response Center (MSRC) has fixed the vulnerability CVE-2021-1732 in the February 2021 security update.

When the exploit example is run on the latest Windows 10 1909 64-bit environment, it first executes at the medium integrity level, and after the exploit, it runs at the system integrity level. As shown below, the current process token has been replaced with a system process token, a common method of escalating kernel privileges.

bitter cve-2021-1732

This vulnerability, CVE-2021-1732, is a kernel-level privilege escalation vulnerability in win32kfull.sys with a high risk and a sophisticated exploit payload. It demonstrates the advanced capabilities of the APT team and highlights the strong vulnerability skills of the hackers.

IOCs

82.221.136.27
27.136.221.82

3f45d49bdb6afceb670978cf98f5c2be
25a16b0fca9acd71450e02a341064c8d
81f6de303c0e9279744bb1a00e70ea62428bf28e
826334eb7990950f7e154d2494cc12437723aad2
7b64a739836c6b436c179eac37c446fee5ba5abc6c96206cf8e454744a0cd5f2
26b3c9a5077232c1bbb5c5b4fc5513e3e0b54a735c32ae90a6d6c1e1d7e4cc0f