Rewterz Threat Alert – Bitter APT Targets Organizations in South Asia

Severity

High

Analysis Summary

BITTER APT is a threat actor organization suspected of having a South Asian background. This organization has long been conducting attacks against China, Pakistan and other countries, mainly targeting government, military industry, electric power, nuclear energy and other units to conduct targeted attacks to steal sensitive information. It is also tracked as APT-C-08. Recently, targeted attacks on domestic, government organizations and enterprises have been detected, originated by this APT group. The captured samples are SFX files disguised as decoys related to the shipbuilding industry. After running, the decoy PDF will be displayed to the victim, in order to trick them, at the same time malware will be executed in the background to carry out secret theft activities. In this round of attacks, the attack methods of this APT group have not changed much, and they still use the C2 server for communication, that was previously attributed to them. At the same time, the plug-in modules distributed by the C2 server are basically the same as in previous attacks.

Impact

• Credential Theft
• Unauthorized Code Execution
• Remote Control
• Data Manipulation
• Information Theft

Indicators of Compromise

Domain Name

• pichostfrm[.]net

MD5

• f6b250aff0e2f5b592a6753c4fdb4475
• f4daf0eccf9972bdefb79fbf9f7fb6ee
• a39aa2ecbbb50c97727503e23ce7b8c6
• 99dd93a189fd734fb00246a7a37014d3
• 806626d6e7a283efffb53b3831d53346
• 660a678cd7202475cf0d2c48b4b52bab
• 25a16b0fca9acd71450e02a341064c8d
• 1475df569f8a31e49a659c6d9764ae93

SHA-256

• 08fdd8642b657afe39b6023efb85ed3c9c7c349c75e68d2424417fe40e36d22e
• 78b16177d8c5b2e06622688a9196ce7452ca1b25a350daae8c4f12c2e415065c
• c42865e79497dbba80cfd806e0d3dc58769212fca2f9e82620029503b6ef7d8a
• b2d7336f382a22d5fb6899fc2bd87c7cd401451ecd6af8ccb9ea7dbbe62fc1b7
• 76494e3c71c44b3586f65e678c0d42b06c94396596159dacb9c3b65bd8edab66
• d957239ba4d314e47de9748e77a229f4f969f55b3fcf54a096e7971c7f1bab7d
• 26b3c9a5077232c1bbb5c5b4fc5513e3e0b54a735c32ae90a6d6c1e1d7e4cc0f
• 6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7

SHA1

• c663870d693af2ca04f8c8c5861c4b92b8cdd932
• c65a902b61e6158fa453b3bbdd81c57739383d63
• ccb1f082d2539ee9e2ba5f7a69d0d2fb26644f91
• 829785ea04587bb60003819c8919fed842216a83
• 820f205b40462d50bf1889410eb8b712256eab15
• a0c4ee924cd2a57e1b62b722c3b89a05ffc74663
• 826334eb7990950f7e154d2494cc12437723aad2
• 40f9a260eafd137b068a536053fe9db97114f348

Source IP

• 82[.]221[.]136[.]27
• 72[.]11[.]134[.]216
• 162[.]0[.]229[.]203

Remediation

• Block the threat indicators at their respective controls.
• Do not open links from untrusted emails or from unknown origin shared on social media.
• Do not click and execute email attachments from unknown sources.
• Maintain timely backup of important files.
• Upgrade products to patched versions against all known vulnerabilities.