Researchers Detail Bitter APT’s Evolving Tactics as Its Geographic Scope Expands

Avatar
The threat actor known as Bitter has been assessed to be a state-backed hacking group that’s tasked with gathering intelligence that aligns with the interests of the Indian government. That’s according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. “Their diverse toolset shows consistent coding patterns across malware families, particularly in
[[{“value”:”

The threat actor known as Bitter has been assessed to be a state-backed hacking group that’s tasked with gathering intelligence that aligns with the interests of the Indian government.

That’s according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.

“Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation,” researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said.

Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities, with select intrusions also targeting China, Saudi Arabia, and South America.

In December 2024, evidence emerged of the threat actor’s targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion.

Stating that Bitter frequently singles out an “exceedingly small subset of targets,” Proofpoint said the attacks are aimed at governments, diplomatic entities, and defense organizations so as to enable intelligence collection on foreign policy or current affairs.

Attack chains mounted by the group typically leverage spear-phishing emails, with the messages sent from providers like 163[.]com, 126[.]com, and ProtonMail, as well as compromised accounts associated with the governments of Pakistan, Bangladesh, and Madagascar.

The threat actor has also been observed masquerading as government and diplomatic entities from China, Madagascar, Mauritius, and South Korea in these campaigns to entice recipients into malware-laced attachments that trigger the deployment of malware.

Overview of Bitter’s infection chains

“Based on the content and the decoy documents employed, it is clear that TA397 has no qualms with masquerading as other countries’ governments, including Indian allies,” the enterprise security company said.

“While TA397’s targets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing operations.”

Furthermore, Bitter has been found to engage in hands-on-keyboard activity in two distinct campaigns targeting government organizations to conduct further enumeration activities on the targeted hosts and drop additional payloads like KugelBlitz and BDarkRAT, a .NET trojan that was first documented in 2019.

It features standard remote access trojan capabilities such as gathering system information, executing shell commands, downloading files, and managing files on the compromised host.

Bitter’s Malware Families

Some of the other known tools in its arsenal are below –

ArtraDownloader, a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file
Keylogger, a C++ module used in various campaigns to record keystrokes and clipboard content
WSCSPL Backdoor, a backdoor that’s delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files
MuuyDownloader (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server
Almond RAT, a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files
ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions
KiwiStealer, a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server
KugelBlitz, a shellcode loader that’s used to deploy the Havoc C2 framework

It’s worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other India-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter.

Analysis of the hands-on-keyboards activity highlights a “Monday to Friday working hours schedule in Indian Standard Timezone (IST),” which is also consistent with the time when WHOIS domain registrations and TLS certificate issuances take place.

“TA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization,” the researchers said. “There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Total
0
Shares
Previous Post

FBI: Play ransomware gang has attacked 600 organizations since 2023

Next Post

Ukrainian police arrest hacker who used hosting firm’s servers to mine cryptocurrency

Related Posts

Vercel’s v0 AI Tool Weaponized by Cybercriminals to Rapidly Create Fake Login Pages at Scale

Unknown threat actors have been observed weaponizing v0, a generative artificial intelligence (AI) tool from Vercel, to design fake sign-in pages that impersonate their legitimate counterparts. "This observation signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts," Okta
Avatar
Read More

How To Automate Ticket Creation, Device Identification and Threat Triage With Tines

Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community - all free to import and deploy through the platform’s Community Edition. A recent standout is a workflow that handles malware alerts with CrowdStrike, Oomnitza, GitHub, and PagerDuty. Developed by Lucas Cantor at
Avatar
Read More