BITTER
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| T-APT-17 | (Citation: Cisco Talos Bitter Bangladesh May 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
BITTER has registered a variety of domains to host malicious payloads and for C2.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BITTER has used HTTP POST requests for C2.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
BITTER has disguised malware as a Windows Security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
BITTER has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BITTER has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
BITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S1013 | ZxxZ | (Citation: Cisco Talos Bitter Bangladesh May 2022) | Native API, Ingress Tool Transfer, Process Discovery, System Information Discovery, Security Software Discovery, Masquerade Task or Service, Query Registry, Encrypted/Encoded File, Scheduled Task, Malicious File, Spearphishing Attachment, System Owner/User Discovery, Data from Local System, Deobfuscate/Decode Files or Information |
References
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.
- Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.