The Bitter group, also known as T-APT-17, is suspected to be a state-sponsored hacking group that targets Saudi Arabia, China and Pakistan. Originally discovered by Forcepoint researchers, the group has been active since 2013 and its targets include energy, research institutions, engineering and government sectors.
The group primarily uses tools such as ArtraDownloader and BitterRAT, as well as techniques such as spear-phishing emails, to attack targeted users by exploiting known vulnerabilities to load remote access Trojans (RATs).
Recently, Chinese researchers discovered that the Bitter group is frantically exploiting a zero-day vulnerability in the Windows 10 64-bit operating system. This vulnerability also affects the latest versions of the Windows 10 operating system, such as Windows 10 20H2 64-bit. Microsoft Security Response Center (MSRC) has fixed the vulnerability CVE-2021-1732 in the February 2021 security update.
When the exploit example is run on the latest Windows 10 1909 64-bit environment, it first executes at the medium integrity level, and after the exploit, it runs at the system integrity level. As shown below, the current process token has been replaced with a system process token, a common method of escalating kernel privileges.
This zero-day vulnerability, CVE-2021-1732, is a kernel-level privilege escalation vulnerability in win32kfull.sys with a high risk and a sophisticated exploit payload. It demonstrates the advanced capabilities of the APT team and highlights the strong vulnerability skills of the hackers.