ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Bitter

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Bitter

NamesBitter (Forcepoint)
T-APT-17 (Tencent)
Country[South Asia]
MotivationInformation theft and espionage
First seen2013
Description(Forcepoint) Forcepoint Security Labs recently encountered a strain of attacks that appear to target Pakistani nationals. We named the attack “BITTER” based on the network communication header used by the latest variant of remote access tool (RAT) used.

Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today.
ObservedSectors: Energy, Engineering, Government.
Countries: Bangladesh, China, India, Pakistan, Saudi Arabia.
Tools usedArtraDownloader, BitterRAT, Dracarys.
Operations performedNov 2013Spear-phishing emails are used to target prospective BITTER victims. The campaign predominantly used the older, relatively popular Microsoft Office exploit, CVE-2012-0158, in order to download and execute a RAT binary from a website.
<https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan>
Jun 2016Recently, 360 Threat Intelligence Center found a series of targeted attacks against Pakistan targets. Attacker exploited one vulnerability (CVE-2017-12824) of InPage to craft bait documents (.inp).
<https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/>
Sep 2018Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia. Details surrounding these attacks and the three ArtraDownloader variants observed are described below.
<https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/>
May 2019The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People’s Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their windows and continue browsing.
<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z>
Dec 2020Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack
<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>
Aug 2021Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims.
<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>
May 2022Bitter APT continues to target Bangladesh
<https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/>
Aug 2022Bitter APT group using “Dracarys” Android Spyware
<https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/>
Apr 2023Bitter Group Distributes CHM Malware to Chinese Organizations
<https://asec.ahnlab.com/en/51043/>
Information<https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/>
MITRE ATT&CK<https://attack.mitre.org/groups/G1002/>

Last change to this card: 26 April 2023

Download this actor card in PDF or JSON format

Previous: The Big Bang
Next: Blackgear

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]