1. Home
  2. Groups
  3. BITTER

BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

ID: G1002
Associated Groups: T-APT-17
Version: 1.1
Created: 01 June 2022
Last Modified: 11 April 2024
Version Permalink

Associated Group Descriptions

Name Description
T-APT-17

[1]
Enterprise Layer
download view
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

BITTER has registered a variety of domains to host malicious payloads and for C2.[2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BITTER has used HTTP POST requests for C2.[1][2]
Enterprise T1568 Dynamic Resolution

BITTER has used DDNS for C2 communications.[2]
Enterprise T1573 Encrypted Channel

BITTER has encrypted their C2 communications.[2]
Enterprise T1203 Exploitation for Client Execution

BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[1][2]
Enterprise T1068 Exploitation for Privilege Escalation

BITTER has exploited CVE-2021-1732 for privilege escalation.[3][4]
Enterprise T1105 Ingress Tool Transfer

BITTER has downloaded additional malware and tools onto a compromised host.[1][2]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BITTER has disguised malware as a Windows Security update service.[1]
Enterprise T1095 Non-Application Layer Protocol

BITTER has used TCP for C2 communications.[2]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

BITTER has used a RAR SFX dropper to deliver malware.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

BITTER has obtained tools such as PuTTY for use in their operations.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[1][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BITTER has used scheduled tasks for persistence and execution.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

BITTER has registered domains to stage payloads.[2]
Enterprise T1204 .002 User Execution: Malicious File

BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.[1][2]
Mobile T1660 Phishing

BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.[5]

Software

ID Name References Techniques
S1013 ZxxZ [1] Data from Local System, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information: Encrypted/Encoded File, Phishing: Spearphishing Attachment, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File

References

  1. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  2. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  3. JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.
  1. Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022.
  2. BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.