Follow on X RSS Feed
News

Bitter APT Resumes Operations with Newly Identified Indicators

Cybersec Sentinel

2 min read
Bitter APT Resumes Operations with Newly Identified Indicators

Threat Group: - Bitter APT (also known as APT-17 or "DeputyDog")
Threat Type: - Cyber Espionage
Exploited Vulnerabilities: - Microsoft Office vulnerabilities (e.g., CVE-2017-11882, CVE-2018-0798, CVE-2018-0802), Zimbra Web Client vulnerabilities
Malware Used: - ZxxZ Trojan, Dracarys Android spyware, various custom Remote Access Trojans (RATs), keyloggers, and backdoors
Threat Score: - High (8.5/10) — Due to advanced techniques in evasion and information theft targeting critical infrastructure and government agencies
Last Threat Observation: - November , 2024.

Overview

Bitter APT, believed to be state-sponsored and originating from China, has been actively engaging in cyber espionage since 2012. The group has historically focused on aerospace, defense, and technology sectors, primarily in countries such as Pakistan, China, and Saudi Arabia, with recent expansions into Bangladesh. Known for utilizing complex, multi-stage malware and evasion techniques, Bitter APT leverages spear-phishing campaigns to gain initial access to targeted systems, often using tools like PowerShell and curl for execution.

Key Details

  • Delivery Method: Spear-phishing emails with malicious attachments exploiting known vulnerabilities
  • Target: Government entities, defense sectors, technology, and engineering organizations
  • Functions:
    • Remote code execution
    • Data exfiltration
    • Credential harvesting
    • Keylogging
    • Surveillance via mobile and desktop malware
  • Obfuscation: Encrypted communications, use of legitimate and third-party tools, code signing, and evasive techniques such as using PowerShell and curl instead of msiexec.

Attack Vectors

Bitter APT primarily uses spear-phishing emails containing malicious attachments (e.g., RTF documents, Excel spreadsheets) that exploit vulnerabilities in Microsoft Office and the Zimbra Web Client. The malware typically deployed includes custom Remote Access Trojans (RATs), keyloggers, and backdoors, allowing the attackers to perform extensive data collection. Additionally, the group has used Android spyware distributed through social media platforms, targeting mobile devices.

Known Indicators of Compromise (IoCs)

File Hashes (MD5):

  • c5de8edeaadc6495999bcb174a58592e
  • 23a8ce358b16128f1ca291a284c0f6ef
  • 34104f2ee58f629d7222cce339a24db5
  • 410ef267cd56b74c6a7578947efb3b66

File Hashes (SHA-256):

  • 561ace43f77de135d5b3286bd2ef270b185d0abdba15d442551211068f8bbf11
  • 9cf4ec9a4953a8bfb75bbc84ae00f8d297aac634ad17984e30abbb476f4c6c0d

File Hashes (SHA1):

  • c2369bb1cd60242b72beebb810adf6395d4b3b5b
  • 1c00d8b5ac95a84e04e2f1a0e1cecc5f4691c97c

Domains:

  • aroundtheworld123[.]net
  • healthnewsone[.]com
  • newmysticvision[.]com
  • wbfashionshow[.]com

URLs:

  • hxxp://aroundtheworld123[.]net/healthne/healthne/regdl
  • hxxp://aroundtheworld123[.]net/healthne/healthne/igfxsrvk
  • hxxp://aroundtheworld123[.]net/healthne/healthne/spoolvs

Mitigation and Prevention

  1. User Awareness: Conduct training to recognize phishing attempts, particularly those with email attachments from unknown sources.
  2. Email Filtering: Deploy advanced email filtering to block spear-phishing attempts.
  3. Antivirus Protection: Ensure antivirus and anti-malware are updated across systems.
  4. Two-Factor Authentication (2FA): Enforce 2FA for accessing sensitive systems.
  5. Monitor Logs: Regularly review system and network logs for unusual activity.
  6. Patch Management: Promptly apply patches to known vulnerabilities and implement a robust patch management policy.
  7. Network & System Hardening: Implement security hardening on network and systems, and conduct regular vulnerability testing on deployed code.
  8. Cyber Hygiene: Maintain multi-layered defenses and regularly update antivirus definitions to secure assets.

Podcast Discussion

Listen to our latest podcast episode, where we discuss Bitter APT, its implications, and best practices to stay secure against similar threats.

[Insert Podcast Link Here]

Conclusion

Bitter APT remains a sophisticated and persistent threat, leveraging advanced evasion tactics and targeting critical sectors in South Asia and beyond. Organizations within these sectors should prioritize security measures, including robust phishing defenses, multi-factor authentication, and timely patching, to mitigate the risks posed by this group.

Sources: