G1002 BITTER
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.21
| Item | Value |
|---|---|
| ID | G1002 |
| Associated Names | T-APT-17 |
| Version | 1.0 |
| Created | 01 June 2022 |
| Last Modified | 01 June 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| T-APT-17 | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | BITTER has registered a variety of domains to host malicious payloads and for C2.1 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | BITTER has used HTTP POST requests for C2.21 |
| enterprise | T1568 | Dynamic Resolution | BITTER has used DDNS for C2 communications.1 |
| enterprise | T1573 | Encrypted Channel | BITTER has encrypted their C2 communications.1 |
| enterprise | T1203 | Exploitation for Client Execution | BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.21 |
| enterprise | T1068 | Exploitation for Privilege Escalation | BITTER has exploited CVE-2021-1732 for privilege escalation.34 |
| enterprise | T1105 | Ingress Tool Transfer | BITTER has downloaded additional malware and tools onto a compromised host.21 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | BITTER has disguised malware as a Windows Security update service.2 |
| enterprise | T1095 | Non-Application Layer Protocol | BITTER has used TCP for C2 communications.1 |
| enterprise | T1027 | Obfuscated Files or Information | BITTER has used a RAR SFX dropper to deliver malware.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | BITTER has obtained tools such as PuTTY for use in their operations.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.21 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | BITTER has used scheduled tasks for persistence and execution.2 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | BITTER has registered domains to stage payloads.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.21 |
Software
References
-
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. ↩↩↩↩↩↩↩↩↩↩↩
-
JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022. ↩
-
Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022. ↩