BITTER
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| T-APT-17 | (Citation: Cisco Talos Bitter Bangladesh May 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
BITTER has registered a variety of domains to host malicious payloads and for C2.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BITTER has used HTTP POST requests for C2.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
BITTER has disguised malware as a Windows Security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
BITTER has obtained tools such as PuTTY for use in their operations.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
BITTER has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
BITTER has registered domains to stage payloads.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S1013 | ZxxZ | (Citation: Cisco Talos Bitter Bangladesh May 2022) | Native API, Ingress Tool Transfer, Process Discovery, System Information Discovery, Security Software Discovery, Masquerade Task or Service, Query Registry, Obfuscated Files or Information, Scheduled Task, Malicious File, Spearphishing Attachment, System Owner/User Discovery, Data from Local System, Deobfuscate/Decode Files or Information |
References
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- JinQuan, MaDongZe, TuXiaoYi, and LiHao. (2021, February 10). Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. Retrieved June 1, 2022.
- Microsoft. (2018, February 9). Windows Win32k Elevation of Privilege Vulnerability CVE-2021-1732. Retrieved June 1, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.