#1275987: Pat Bear (APT-C-37): Continued to expose attacks on an armed organization

BRI comment: Translate from Chinese
Description: Since October 2015, the Pat Bear Organization (APT-C-37) has launched an organized, planned, and targeted long-term uninterrupted attack against an armed organization. Its attack platform is Windows and Android. Up to now, 360 Beaconlab has captured 32 Android platform attack samples, 13 Windows platform attack samples, and 7 C&C domain names.

Due to its own political and religious issues, an armed organization has become the target of many hackers and countries. In March 2017, an armed group, the Amaq Media Channel, issued a warning message reminding visitors that the site has been infiltrated, and anyone who visits the site will be asked to download a virus file that pretends to be a Flash installer. From the news, we determined that an armed organization is the target of the action, and its load delivery method includes at least a puddle attack.

Through analysis, we found that a major C&C used by the racquet bear organization is located in a certain country in the Middle East, and the C&C used by the golden rat organization [1] of the same period belongs to the same network segment. Further analysis and comparison, the two organizations have strong correlation, and both contain their own unique RAT.

Since the target of the patted bear organization is aimed at an armed organization that supports dual-platform attacks, there has been only one unique animal in the Middle East with a soldier certificate in history, combining some other characteristics of the organization and 360 pairs of APT. The organization's naming rules, we named the organization a role name in the DOTA game - pat the bear.

Second, the load delivery
The way of patted bear tissue load delivery is mainly puddle attack.

Puddle attack

Al Swarm News Agency website (see Figure 2.1) is a media website belonging to an armed organization. For the same reason, it has also suffered various attacks from all over the world. It has changed several domain names and the website has been offline. In addition to the puddle attack on the Amaq media website mentioned above, we found that Al Swarm News Agency was also used by the organization for puddle attacks.

The puddle attack mode is to replace the normal APP of the Al Swarm station with a malicious APP inserted into the RAT. The RAT specific download link and the link corresponding file MD5 are shown in Table 1.

Malicious download link https://sawarim.net/apps/Sawarim.apk
Domain name status Invalid
Download APK file MD5 Bb2d1238c8418cde13128e91f1a77ae7
Table 1 Android RAT program specific download link and link corresponding file MD5

In addition to the above two puddle attacks against an armed organization's news media website, we also found that some other historical puddle attacks used by the organization are shown in Table 2, including the specific download links and links for Android and Windows RAT programs. Corresponding file MD5.

Third, the way of induction
The patted bear organization mainly uses the following two induction methods in this operation:

Camouflage with normal APP function

In order to be better evasive, in addition to camouflage the file icon, the RAT is also inserted into the normal APP, such as an app called "زوجات الرسول", which displays the normal interface after running. However, when the specified broadcast is received, espionage occurs in the background.

Fourth, RAT attack sample analysis
Up to now, the bat shooting organization has used several different RATs for Android and Windows.


There are three RATs used in the Android side. Two of them (DroidJack and SpyNote) are more frequently used commercial RATs. They have been spread on multiple hacking forums and have been detected and exposed by many security companies. And we think that it was developed specifically for this attack, we are named SSLove, which only appeared in the event and has been updated in several versions.


Droidjack is an extremely popular RAT with its own official website, powerful and convenient management tools. The organization uses Droidjack in addition to direct use; it will also be inserted into the normal APP to hide, interestingly, SSLove will also be inserted into the app, which means that the app will have two RATs at the same time.
More info: http://blogs.360.cn/post/analysis-of-apt-c-37.html

Date added Sept. 11, 2019, 6:51 p.m.
Source 360.cn
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • APT-C-37 / Pat Bear
  • . APTs - Advanced Persistent Threats - New Reports in
  • Backdoors, Trojans and RAT's
  • General Malware - New Reports in
  • Industrial / Political Espionage Alerts
  • NjRAT / Bladabindi / njRAT Lime Edition