• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA
December 15, 2020
Rewterz Threat Advisory – CVE-2020-12516 – ICS: WAGO Series 750-88x and 750-352
December 16, 2020

Rewterz Threat Alert – Bitter APT Targets Organizations in South Asia

December 15, 2020

Severity

High

Analysis Summary

BITTER APT is a threat actor organization suspected of having a South Asian background. This organization has long been conducting attacks against China, Pakistan and other countries, mainly targeting government, military industry, electric power, nuclear energy and other units to conduct targeted attacks to steal sensitive information. It is also tracked as APT-C-08. Recently, targeted attacks on domestic, government organizations and enterprises have been detected, originated by this APT group. The captured samples are SFX files disguised as decoys related to the shipbuilding industry. After running, the decoy PDF will be displayed to the victim, in order to trick them, at the same time malware will be executed in the background to carry out secret theft activities. In this round of attacks, the attack methods of this APT group have not changed much, and they still use the C2 server for communication, that was previously attributed to them. At the same time, the plug-in modules distributed by the C2 server are basically the same as in previous attacks.

Impact

  • Credential Theft
  • Unauthorized Code Execution
  • Remote Control
  • Data Manipulation
  • Information Theft

Indicators of Compromise

Domain Name

  • pichostfrm[.]net

MD5

  • f6b250aff0e2f5b592a6753c4fdb4475
  • f4daf0eccf9972bdefb79fbf9f7fb6ee
  • a39aa2ecbbb50c97727503e23ce7b8c6
  • 99dd93a189fd734fb00246a7a37014d3
  • 806626d6e7a283efffb53b3831d53346
  • 660a678cd7202475cf0d2c48b4b52bab
  • 25a16b0fca9acd71450e02a341064c8d
  • 1475df569f8a31e49a659c6d9764ae93

SHA-256

  • 08fdd8642b657afe39b6023efb85ed3c9c7c349c75e68d2424417fe40e36d22e
  • 78b16177d8c5b2e06622688a9196ce7452ca1b25a350daae8c4f12c2e415065c
  • c42865e79497dbba80cfd806e0d3dc58769212fca2f9e82620029503b6ef7d8a
  • b2d7336f382a22d5fb6899fc2bd87c7cd401451ecd6af8ccb9ea7dbbe62fc1b7
  • 76494e3c71c44b3586f65e678c0d42b06c94396596159dacb9c3b65bd8edab66
  • d957239ba4d314e47de9748e77a229f4f969f55b3fcf54a096e7971c7f1bab7d
  • 26b3c9a5077232c1bbb5c5b4fc5513e3e0b54a735c32ae90a6d6c1e1d7e4cc0f
  • 6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7

SHA1

  • c663870d693af2ca04f8c8c5861c4b92b8cdd932
  • c65a902b61e6158fa453b3bbdd81c57739383d63
  • ccb1f082d2539ee9e2ba5f7a69d0d2fb26644f91
  • 829785ea04587bb60003819c8919fed842216a83
  • 820f205b40462d50bf1889410eb8b712256eab15
  • a0c4ee924cd2a57e1b62b722c3b89a05ffc74663
  • 826334eb7990950f7e154d2494cc12437723aad2
  • 40f9a260eafd137b068a536053fe9db97114f348

Source IP

  • 82[.]221[.]136[.]27
  • 72[.]11[.]134[.]216
  • 162[.]0[.]229[.]203

Remediation

  • Block the threat indicators at their respective controls.
  • Do not open links from untrusted emails or from unknown origin shared on social media.
  • Do not click and execute email attachments from unknown sources.
  • Maintain timely backup of important files.
  • Upgrade products to patched versions against all known vulnerabilities.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.