Bitter APT Resumes Operations with Newly Identified Indicators
Threat Group: - Bitter APT (also known as APT-17 or "DeputyDog")
Threat Type: - Cyber Espionage
Exploited Vulnerabilities: - Microsoft Office vulnerabilities (e.g., CVE-2017-11882, CVE-2018-0798, CVE-2018-0802), Zimbra Web Client vulnerabilities
Malware Used: - ZxxZ Trojan, Dracarys Android spyware, various custom Remote Access Trojans (RATs), keyloggers, and backdoors
Threat Score: - High (8.5/10) — Due to advanced techniques in evasion and information theft targeting critical infrastructure and government agencies
Last Threat Observation: - November , 2024.
Overview
Bitter APT, believed to be state-sponsored and originating from China, has been actively engaging in cyber espionage since 2012. The group has historically focused on aerospace, defense, and technology sectors, primarily in countries such as Pakistan, China, and Saudi Arabia, with recent expansions into Bangladesh. Known for utilizing complex, multi-stage malware and evasion techniques, Bitter APT leverages spear-phishing campaigns to gain initial access to targeted systems, often using tools like PowerShell and curl for execution.
Key Details
- Delivery Method: Spear-phishing emails with malicious attachments exploiting known vulnerabilities
- Target: Government entities, defense sectors, technology, and engineering organizations
- Functions:
- Remote code execution
- Data exfiltration
- Credential harvesting
- Keylogging
- Surveillance via mobile and desktop malware
- Obfuscation: Encrypted communications, use of legitimate and third-party tools, code signing, and evasive techniques such as using PowerShell and curl instead of msiexec.
Attack Vectors
Bitter APT primarily uses spear-phishing emails containing malicious attachments (e.g., RTF documents, Excel spreadsheets) that exploit vulnerabilities in Microsoft Office and the Zimbra Web Client. The malware typically deployed includes custom Remote Access Trojans (RATs), keyloggers, and backdoors, allowing the attackers to perform extensive data collection. Additionally, the group has used Android spyware distributed through social media platforms, targeting mobile devices.
Known Indicators of Compromise (IoCs)
File Hashes (MD5):
c5de8edeaadc6495999bcb174a58592e
23a8ce358b16128f1ca291a284c0f6ef
34104f2ee58f629d7222cce339a24db5
410ef267cd56b74c6a7578947efb3b66
File Hashes (SHA-256):
561ace43f77de135d5b3286bd2ef270b185d0abdba15d442551211068f8bbf11
9cf4ec9a4953a8bfb75bbc84ae00f8d297aac634ad17984e30abbb476f4c6c0d
File Hashes (SHA1):
c2369bb1cd60242b72beebb810adf6395d4b3b5b
1c00d8b5ac95a84e04e2f1a0e1cecc5f4691c97c
Domains:
aroundtheworld123[.]net
healthnewsone[.]com
newmysticvision[.]com
wbfashionshow[.]com
URLs:
hxxp://aroundtheworld123[.]net/healthne/healthne/regdl
hxxp://aroundtheworld123[.]net/healthne/healthne/igfxsrvk
hxxp://aroundtheworld123[.]net/healthne/healthne/spoolvs
Mitigation and Prevention
- User Awareness: Conduct training to recognize phishing attempts, particularly those with email attachments from unknown sources.
- Email Filtering: Deploy advanced email filtering to block spear-phishing attempts.
- Antivirus Protection: Ensure antivirus and anti-malware are updated across systems.
- Two-Factor Authentication (2FA): Enforce 2FA for accessing sensitive systems.
- Monitor Logs: Regularly review system and network logs for unusual activity.
- Patch Management: Promptly apply patches to known vulnerabilities and implement a robust patch management policy.
- Network & System Hardening: Implement security hardening on network and systems, and conduct regular vulnerability testing on deployed code.
- Cyber Hygiene: Maintain multi-layered defenses and regularly update antivirus definitions to secure assets.
Podcast Discussion
Listen to our latest podcast episode, where we discuss Bitter APT, its implications, and best practices to stay secure against similar threats.
[Insert Podcast Link Here]
Conclusion
Bitter APT remains a sophisticated and persistent threat, leveraging advanced evasion tactics and targeting critical sectors in South Asia and beyond. Organizations within these sectors should prioritize security measures, including robust phishing defenses, multi-factor authentication, and timely patching, to mitigate the risks posed by this group.
Sources:
- Rewterz – "Bitter APT – Active IOCs"
- Cisco Talos Blog – "Bitter APT adds Bangladesh to their targets"
- MITRE ATT&CK – "BITTER, T-APT-17, Group G1002"