G1002 BITTER
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.21
| Item | Value |
|---|---|
| ID | G1002 |
| Associated Names | T-APT-17 |
| Version | 1.1 |
| Created | 01 June 2022 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| T-APT-17 | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | BITTER has registered a variety of domains to host malicious payloads and for C2.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BITTER has used HTTP POST requests for C2.21 |
| enterprise | T1568 | Dynamic Resolution | BITTER has used DDNS for C2 communications.1 |
| enterprise | T1573 | Encrypted Channel | BITTER has encrypted their C2 communications.1 |
| enterprise | T1203 | Exploitation for Client Execution | BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.21 |
| enterprise | T1068 | Exploitation for Privilege Escalation | BITTER has exploited CVE-2021-1732 for privilege escalation.34 |
| enterprise | T1105 | Ingress Tool Transfer | BITTER has downloaded additional malware and tools onto a compromised host.21 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | BITTER has disguised malware as a Windows Security update service.2 |
| enterprise | T1095 | Non-Application Layer Protocol | BITTER has used TCP for C2 communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | BITTER has used a RAR SFX dropper to deliver malware.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | BITTER has obtained tools such as PuTTY for use in their operations.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.21 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BITTER has used scheduled tasks for persistence and execution.2 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | BITTER has registered domains to stage payloads.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.21 |
| mobile | T1660 | Phishing | BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.5 |
Software
References
-
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. ↩↩↩↩↩↩↩↩↩↩↩
-
JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022. ↩
-
Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022. ↩
-
BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024. ↩