Strike Ready: Introducing the Bitter APT Group

Aug. 19, 2024, 1:59 p.m.

Tags
espionage
persistence
infostealers
backdoors
2024-08-19
olmapi32.dll
scm.exe
stom.jpg
sparrow.jpg
schs.exe
orpcbackdoor
figlio.exe
sstn.exe
payloads
searchapp.jpg
External References
Description

The report provides an in-depth analysis of the Bitter APT Group, a threat actor primarily focusing on cyber espionage activities in South Asia. It details the group's tactics, techniques, and procedures, including their ability to bypass security technologies by leveraging obscure file formats and encrypted payloads. The report examines various malware samples, backdoors, and information stealers utilized by the group, shedding light on their capabilities and methods of operation. Additionally, it provides indicators of compromise, YARA rules, and recommendations for defending against these persistent threats.

Date

Published: Aug. 19, 2024, 1:35 p.m.

Created: Aug. 19, 2024, 1:35 p.m.

Modified: Aug. 19, 2024, 1:59 p.m.

Indicators

ff372dc759f9ec71dc3ae80082d5b125dfe1e1e23c774a09e5b0cef7e5ed67b8

f92e1083eae5d4536c974fc0ca1595cf33a0c159d4d7ca8b368891930f1889e0

ee088e6d8ac0f3dbfbd17f556a58d06cc882016fd8a4a8ba2ddcd0cab5322d23

f7352581613aeb9d6ce6f21814b72d389377201eeceac3b58e9d1ba6469e69dc

dcc94bfd52680b32e2c0b9b4705c71cecef9285ee454e3c51b07070d1755b580

d99831e1c67b6251f5fd86393a70cc3a731e5ffda4f7bf926f256c581f73fb38

d9ca0a9fcf6458ce310c234410a27bc1e50eb51e41e29434c5ef1182f556d3ba

d69ba74e4712cd7c883fdadfd5badf769f8ec887f9a7ad9fba44fd75b78eaeac

d3cfd8ff93a2d7662081a5cb521c10f56d2bcee9e68d51d986b4a5496a3827c3

d5b7522575f56185eb5c3759e091569e53318add9ceb34705a5c63e49736ca6b

cd8c8b832435f2254069bc587ec7650aa4b404e12b6afa3044dc81a5b5a83fc7

cb5a3801f64c9deab4b0ffc0aa7a7f437addb0f407d7a9b3dccd0446304e4c38

cb2653260502c16962ceaf7b0b77ba9799ffb68324e38dba653413a0828f8021

c4509c789f6460047d6fee4621601f952a6a10f840f8e05f15b618163e0bf18f

ba352569428df4618cd57f91bd3479b73a798399a6b861ed996d715bc51e916c

b907006efec8585e67b48e843c8fee68d9c6132ad6cb9dd2da7864220d98d2fc

b8beb5e27fc339772b63ed454ec054a16b554e5c354eab8de7b4addbe238f403

ae61ef6e864c75cf0761f0f645563ed467d9a9fc34284e20dc32acd420703468

a73f2394d27bd41f66b0822efab069683b6969942e90944d1a8ff60416fa7cfa

a1bb8ce0cf7290524326442be9b8ecce883d860f6437dcc4bc64b99f72004fdd

a00f37c28ed4704a7b6a2a27f86baf9a7e23a0cb12dd9f5a59ffc9bcee84e2bc

9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed

9e681830cc1835e8041ee578fdd8cffe94ee91c92e946b73e7270787caacc296

98ad6b039b489dbd6325baaf1b2405c4f1399fd52eeddf77af8ea73196d069b7

95237e4179f0385cb400ace3835d5f1382c3f16944d4e76a0a829f9ca41442d9

94cd0c50f1cd9cd0e5e137e765dc8306793624a94584415ad71473eeed98401f

935dd2793ea9bfdf8bb5e52b51b81cd541cf4a752a3fe0abae939a2b0a12f731

8730deaca1e593da1a13389945f8a6a9e126a4a9f8304ae90cbbc95171bcd4db

86376d909ab4ff020a9b0477f17efeee736cf1eb2020ded3c511188f8571ebc5

85542438303e4974917ee2ef3e984d9ba9b3e731ddcf2b7626d0fad65b252a0b

7eb0d740674ac24156a8ee66a660d67ff7505d1552c14b203b39331cea7a547e

7059e92102cc8bc02b3b426bc46d030e616e37c40373f9610289bd63a8e40db1

700827a157a3c3ddd1a4ac80b98d4519d937f240ec9046d1e9c3a480024c8ccd

6cdc79edba95c6a9ec1d50457dc16f40f02c46a7d0b9665f099abe8155d1a25c

6b3c1e7cb7c4155611f04c7715162f5ecf141d18e61c87df2454da3ef9c52644

52a4020392de0d527fe0aaf551fa557628c68419415b86afa36854d0bc987d9d

51380ab46e6fc0b3449ea1b86d0f746cf5b001700c0910c7a920b94021a6f2b3

4827c3d73576bce406e89cf07aa671e1937efb89b012460b1831ac1c07574c59

4798e79597fbde0059c2e2be04d8ac5801bbbb75bcef9a75d2811d8ef033513d

455163bfa49326fb7787af85cb0decc84100533da38bbdcbf06b2bdb6f7f521a

4403650cc38298ae5149155d4040ba438ae58764471a7ec1472ebe3e51e14b86

3d3f42e0e9c0c1db2089fb87ab34f366b8ac192e0acdd0ae2e190b96fa9578d0

3bd8d3d9fd594a37cc8cb9838e528ca6d9acd2f6bbe4e95ff51d9f35fdde2e13

342b9b6c9117d0769eb3b8efa438860e5481ffa3b694db7ee8a772ff7ec9020c

311f38b7836c4228463d6464f854761b7cc8c6071b5f9731b6377df5d7d0ea89

2ffb061af36193a447c9932cbe6abff0fc98414710bfb5151af234861b09ff1f

2fc55a335fd040cf8fefbb48344ccae2c71cb51ababf2963c655f9e675eb7335

2cd43763e992a0127e91efe5bb4749c66bcf215f31133ce6388a8170c8f8a7f6

2ba0effa66c01a5dd8f04c83b6f9bada991e3323f7fb5fe365427256e9c6c624

2a4cd85fc8f0bd5b399cd0cea6bc0cdea3174e1608fd5679860be8e2a78a8903

2a3519501362a44a4b122fbf869e195989741525883f07d0fc2d2e5e48fb7fff

21e73214b7b38055600c4c492c537cba78141e292330d9af689fa28a65a683e0

1c089e89b341ce7d506e6d5c60e7efcaccb068c20dbfc6f23995563ad1eb28e9

167737e5c072a1ea05a7c0fcaa3f190cfd6708b3bd87c0da54f9e8d9c55fd714

12c7cf50d634ecc0fc0ebdd547f35cdfe35ba60488c11d17e4767a28e4bd0eab

10b82939733df349b91fe06e2147d4a7bf051aaa8866468ffbeb5d6e8b0f77f9

10610e15b66028f62a1c30f9bcb71f30171c3a9f04df6d73f76cb81b4401abbe

08ea9f2f0b1270a2bd2639b6d1054113c74dc111b923d9f35324cde49d7e4758

06019995309fec0a69f50b0bfeb9b74cd8be91f0212f3b3ad24b211ba18da139

03672dae225aa70a8983aa7d34785f66a35082f364dd1cb3815cd67049437ad7

ba2e21641a1238a5b30e535bd0940fcd316a6e5242bfdd48a97aaa203d11642b

85a6ac13510983b3a29ccb2527679d91c86c1f91fdfee68913bc5d3d01eeda2b

74ba5883d989566a94e7c6c217b17102f054ffbe98bc9c878a7f700f9809e910

b087a214fb40e9f8e7b21a8f36cabd53fee32f79a01d05d31476e249b6f472ca

91.132.93.235

176.124.33.42

172.86.68.175

https://oraclewebonline.com/log.php?computername=

https://oraclewebonline.com/log.php.

https://bickrickneoservice.com/Z/CERTga.msi

http://bickrickneoservice.com/Z/mrcvs.exe

http://172.86.68.175:4443/upload

http://172.86.68.175

microsoft.officeweb.live

windowphotoviewer.com

pdcunaco.com

oraclewebonline.com

libreofficeonline.com

kimfilippovision.com

evtessentials.com

bickrickneoservice.com

outlook-web.ddns.net

Download all indicators here!

Attack Patterns

OLMAPI32.dll

Figlio.exe

stom.jpg

sstn.exe

scm.exe

schs.exe

sparrow.jpg

SearchApp.jpg

ORPCBackdoor

Bitter APT Group

T1588

T1135

T1583

T1113

T1005

T1083

T1071

T1566

T1562

T1059