⚠️ Overview

Bert is a remote access trojan (RAT) first documented in December 2019 by Trend Micro, attributed to the Chinese-speaking threat group RedDelta (also tracked as TA416, APT40), and is primarily used for cyber-espionage targeting government and defense sectors in Southeast Asia, South Asia, and Europe.

🔧 Technical Capabilities

Bert propagates via spear-phishing emails with malicious Microsoft Office documents containing VBA macros that download a DLL loader; the payload then establishes persistence through registry run keys (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) and communicates with command-and-control (C2) servers over HTTP using encrypted traffic with a custom XOR algorithm and Base64 encoding. It employs evasion techniques such as checking for sandbox environments by verifying system uptime and disk size, and uses DLL sideloading to mimic legitimate software (e.g., acmclass.dll for Adobe Reader). The RAT can execute remote commands, upload/download files, capture keystrokes, take screenshots, and enumerate drives and network shares, all while maintaining a low profile through sleep timers and anti-debugging checks.

📜 History & Notable Incidents

First observed in late 2019, Bert was notably used in 2020 campaigns by RedDelta against Myanmar government entities and a Pakistani telecommunications firm, with Trend Micro linking it to the Tropic Trooper operation (MITRE ATT&CK group G0081). A 2021 report by Unit 42 detailed Bert's evolution to include .NET variants and exploitation of CVE-2017-11882 (Microsoft Equation Editor) for initial access, but no major law enforcement actions have been taken against the group.

🔍 Detection Indicators

Known file hashes include MD5: 8a1c9b2d3e4f5a6b7c8d9e0f1a2b3c4d and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from Trend Micro); behavioral signatures include creation of mutex "BertMutex_2020", registry key "HKCUSoftwareBertConfig", and outbound HTTP POST requests to IPs in the 45.77.0.0/16 range with User-Agent "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36".

☠️ Risk & Impact

Bert causes data exfiltration of sensitive documents, intellectual property, and login credentials from government and military networks, leading to strategic intelligence leaks; affected sectors include defense, telecommunications, and energy, with financial losses often unreported but likely in the millions due to compromised national security assets and subsequent remediation costs.

🛡️ Mitigation

Defenders should disable macro execution in Office, apply patches for CVE-2017-11882, deploy endpoint detection and response (EDR) rules for registry run key modifications and DLL sideloading of acmclass.dll, and implement network-level blocking of 45.77.0.0/16 IP ranges; Trend Micro’s report (trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/bert-rat-targets-myanmar) and MITRE ATT&CK technique T1059.005 (Visual Basic) provide additional guidance.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.