Indicator (IOC)
Essential information
- Value / Name
dd1c6d6276efba12eff01052033aa3a3717f3af9- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 06/07/2022 10:42
- Valid until
- 09/10/2023 10:42
- Pattern type
- yara
- Published
- 20/12/2025 19:34
- Modified
- 20/12/2025 21:32
- Author / Source
- AlienVault
Description
Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)
Pattern
rule APT_Bitter_Maldoc_Verify { meta:
description = "Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)"
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
tlp = "WHITE"
reference = "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh"
date = "2022-06-01"
hash0 = "0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450"
hash1 = "bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d"
hash2 = "3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6" strings:
// This rule is meant to be used for verification of a Bitter Maldoc
// rather than a hunting rule since the oleObject it is matching is
// compressed in the doc zip $xor_string0 = "LoadLibraryA" xor
$xor_string1 = "urlmon.dll" xor
$xor_string2 = "Shell32.dll" xor
$xor_string3 = "ShellExecuteA" xor
$xor_string4 = "MoveFileA" xor
$xor_string5 = "CreateDirectoryA" xor
$xor_string6 = "C:\\Windows\\explorer" xor
$padding = {000001128341000001128341000001128342000001128342} condition:
3 of ($xor_string*)
and $padding
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.