1. Home
  2. Groups
  3. BITTER

BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

ID: G1002
Associated Groups: T-APT-17
Version: 1.0
Created: 01 June 2022
Last Modified: 01 June 2022
Version Permalink

Associated Group Descriptions

Name Description
T-APT-17

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

BITTER has registered a variety of domains to host malicious payloads and for C2.[2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BITTER has used HTTP POST requests for C2.[1][2]
Enterprise T1568 Dynamic Resolution

BITTER has used DDNS for C2 communications.[2]
Enterprise T1573 Encrypted Channel

BITTER has encrypted their C2 communications.[2]
Enterprise T1203 Exploitation for Client Execution

BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[1][2]
Enterprise T1068 Exploitation for Privilege Escalation

BITTER has exploited CVE-2021-1732 for privilege escalation.[3][4]
Enterprise T1105 Ingress Tool Transfer

BITTER has downloaded additional malware and tools onto a compromised host.[1][2]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BITTER has disguised malware as a Windows Security update service.[1]
Enterprise T1095 Non-Application Layer Protocol

BITTER has used TCP for C2 communications.[2]
Enterprise T1027 Obfuscated Files or Information

BITTER has used a RAR SFX dropper to deliver malware.[2]
Enterprise T1588 .002 Obtain Capabilities: Tool

BITTER has obtained tools such as PuTTY for use in their operations.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[1][2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BITTER has used scheduled tasks for persistence and execution.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

BITTER has registered domains to stage payloads.[2]
Enterprise T1204 .002 User Execution: Malicious File

BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.[1][2]

Software

ID Name References Techniques
S1013 ZxxZ [1] Data from Local System, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Query Registry, Scheduled Task/Job: Scheduled Task, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, User Execution: Malicious File

References

  1. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  2. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  1. JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.
  2. Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022.