BITTER
Associated Group Descriptions
| Name | Description |
|---|---|
| T-APT-17 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
BITTER has disguised malware as a Windows Security update service.[1] |
| Enterprise | T1573 | 加密通道 | ||
| Enterprise | T1568 | 动态解析 | ||
| Enterprise | T1203 | 客户端执行漏洞利用 |
BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[1][2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1608 | .001 | 暂存能力: Upload Malware | |
| Enterprise | T1068 | 权限提升漏洞利用 |
BITTER has exploited CVE-2021-1732 for privilege escalation.[3][4] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.[1][2] |
| Enterprise | T1583 | .001 | 获取基础设施: Domains |
BITTER has registered a variety of domains to host malicious payloads and for C2.[2] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
BITTER has obtained tools such as PuTTY for use in their operations.[2] |
| Enterprise | T1105 | 输入工具传输 |
BITTER has downloaded additional malware and tools onto a compromised host.[1][2] |
|
| Enterprise | T1559 | .002 | 进程间通信: Dynamic Data Exchange |
BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.[1] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[1][2] |
| Enterprise | T1095 | 非应用层协议 | ||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
BITTER has used scheduled tasks for persistence and execution.[1] |
| Mobile | T1660 | Phishing |
BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.[5] |
|
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1013 | ZxxZ | [1] | 从本地系统获取数据, 伪装: Masquerade Task or Service, 反混淆/解码文件或信息, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task |
References
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.