Strike Ready: Introducing the Bitter APT Group

Aug. 19, 2024, 1:59 p.m.

Description

The report provides an in-depth analysis of the Bitter APT Group, a threat actor primarily focusing on cyber espionage activities in South Asia. It details the group's tactics, techniques, and procedures, including their ability to bypass security technologies by leveraging obscure file formats and encrypted payloads. The report examines various malware samples, backdoors, and information stealers utilized by the group, shedding light on their capabilities and methods of operation. Additionally, it provides indicators of compromise, YARA rules, and recommendations for defending against these persistent threats.

External References

https://strikeready.com/blog/open-sesame
https://otx.alienvault.com/pulse/66c34a2fea24f9f64610c55a
Tags
espionage
persistence
infostealers
backdoors
2024-08-19
olmapi32.dll
scm.exe
stom.jpg
sparrow.jpg
schs.exe
orpcbackdoor
figlio.exe
sstn.exe
payloads
searchapp.jpg

Date

  • Created: Aug. 19, 2024, 1:35 p.m.
  • Published: Aug. 19, 2024, 1:35 p.m.
  • Modified: Aug. 19, 2024, 1:59 p.m.

Indicators

  • ff372dc759f9ec71dc3ae80082d5b125dfe1e1e23c774a09e5b0cef7e5ed67b8
  • f92e1083eae5d4536c974fc0ca1595cf33a0c159d4d7ca8b368891930f1889e0
  • ee088e6d8ac0f3dbfbd17f556a58d06cc882016fd8a4a8ba2ddcd0cab5322d23
  • f7352581613aeb9d6ce6f21814b72d389377201eeceac3b58e9d1ba6469e69dc
  • dcc94bfd52680b32e2c0b9b4705c71cecef9285ee454e3c51b07070d1755b580
  • d99831e1c67b6251f5fd86393a70cc3a731e5ffda4f7bf926f256c581f73fb38
  • d9ca0a9fcf6458ce310c234410a27bc1e50eb51e41e29434c5ef1182f556d3ba
  • d69ba74e4712cd7c883fdadfd5badf769f8ec887f9a7ad9fba44fd75b78eaeac
  • d3cfd8ff93a2d7662081a5cb521c10f56d2bcee9e68d51d986b4a5496a3827c3
  • d5b7522575f56185eb5c3759e091569e53318add9ceb34705a5c63e49736ca6b
  • cd8c8b832435f2254069bc587ec7650aa4b404e12b6afa3044dc81a5b5a83fc7
  • cb5a3801f64c9deab4b0ffc0aa7a7f437addb0f407d7a9b3dccd0446304e4c38
  • cb2653260502c16962ceaf7b0b77ba9799ffb68324e38dba653413a0828f8021
  • c4509c789f6460047d6fee4621601f952a6a10f840f8e05f15b618163e0bf18f
  • ba352569428df4618cd57f91bd3479b73a798399a6b861ed996d715bc51e916c
  • b907006efec8585e67b48e843c8fee68d9c6132ad6cb9dd2da7864220d98d2fc
  • b8beb5e27fc339772b63ed454ec054a16b554e5c354eab8de7b4addbe238f403
  • ae61ef6e864c75cf0761f0f645563ed467d9a9fc34284e20dc32acd420703468
  • a73f2394d27bd41f66b0822efab069683b6969942e90944d1a8ff60416fa7cfa
  • a1bb8ce0cf7290524326442be9b8ecce883d860f6437dcc4bc64b99f72004fdd
  • a00f37c28ed4704a7b6a2a27f86baf9a7e23a0cb12dd9f5a59ffc9bcee84e2bc
  • 9ffb61f1360595fc707053620f3751cb76c83e67835a915ccd3cbff13cf97bed
  • 9e681830cc1835e8041ee578fdd8cffe94ee91c92e946b73e7270787caacc296
  • 98ad6b039b489dbd6325baaf1b2405c4f1399fd52eeddf77af8ea73196d069b7
  • 95237e4179f0385cb400ace3835d5f1382c3f16944d4e76a0a829f9ca41442d9
  • 94cd0c50f1cd9cd0e5e137e765dc8306793624a94584415ad71473eeed98401f
  • 935dd2793ea9bfdf8bb5e52b51b81cd541cf4a752a3fe0abae939a2b0a12f731
  • 8730deaca1e593da1a13389945f8a6a9e126a4a9f8304ae90cbbc95171bcd4db
  • 86376d909ab4ff020a9b0477f17efeee736cf1eb2020ded3c511188f8571ebc5
  • 85542438303e4974917ee2ef3e984d9ba9b3e731ddcf2b7626d0fad65b252a0b
  • 7eb0d740674ac24156a8ee66a660d67ff7505d1552c14b203b39331cea7a547e
  • 7059e92102cc8bc02b3b426bc46d030e616e37c40373f9610289bd63a8e40db1
  • 700827a157a3c3ddd1a4ac80b98d4519d937f240ec9046d1e9c3a480024c8ccd
  • 6cdc79edba95c6a9ec1d50457dc16f40f02c46a7d0b9665f099abe8155d1a25c
  • 6b3c1e7cb7c4155611f04c7715162f5ecf141d18e61c87df2454da3ef9c52644
  • 52a4020392de0d527fe0aaf551fa557628c68419415b86afa36854d0bc987d9d
  • 51380ab46e6fc0b3449ea1b86d0f746cf5b001700c0910c7a920b94021a6f2b3
  • 4827c3d73576bce406e89cf07aa671e1937efb89b012460b1831ac1c07574c59
  • 4798e79597fbde0059c2e2be04d8ac5801bbbb75bcef9a75d2811d8ef033513d
  • 455163bfa49326fb7787af85cb0decc84100533da38bbdcbf06b2bdb6f7f521a
  • 4403650cc38298ae5149155d4040ba438ae58764471a7ec1472ebe3e51e14b86
  • 3d3f42e0e9c0c1db2089fb87ab34f366b8ac192e0acdd0ae2e190b96fa9578d0
  • 3bd8d3d9fd594a37cc8cb9838e528ca6d9acd2f6bbe4e95ff51d9f35fdde2e13
  • 342b9b6c9117d0769eb3b8efa438860e5481ffa3b694db7ee8a772ff7ec9020c
  • 311f38b7836c4228463d6464f854761b7cc8c6071b5f9731b6377df5d7d0ea89
  • 2ffb061af36193a447c9932cbe6abff0fc98414710bfb5151af234861b09ff1f
  • 2fc55a335fd040cf8fefbb48344ccae2c71cb51ababf2963c655f9e675eb7335
  • 2cd43763e992a0127e91efe5bb4749c66bcf215f31133ce6388a8170c8f8a7f6
  • 2ba0effa66c01a5dd8f04c83b6f9bada991e3323f7fb5fe365427256e9c6c624
  • 2a4cd85fc8f0bd5b399cd0cea6bc0cdea3174e1608fd5679860be8e2a78a8903
  • 2a3519501362a44a4b122fbf869e195989741525883f07d0fc2d2e5e48fb7fff
  • 21e73214b7b38055600c4c492c537cba78141e292330d9af689fa28a65a683e0
  • 1c089e89b341ce7d506e6d5c60e7efcaccb068c20dbfc6f23995563ad1eb28e9
  • 167737e5c072a1ea05a7c0fcaa3f190cfd6708b3bd87c0da54f9e8d9c55fd714
  • 12c7cf50d634ecc0fc0ebdd547f35cdfe35ba60488c11d17e4767a28e4bd0eab
  • 10b82939733df349b91fe06e2147d4a7bf051aaa8866468ffbeb5d6e8b0f77f9
  • 10610e15b66028f62a1c30f9bcb71f30171c3a9f04df6d73f76cb81b4401abbe
  • 08ea9f2f0b1270a2bd2639b6d1054113c74dc111b923d9f35324cde49d7e4758
  • 06019995309fec0a69f50b0bfeb9b74cd8be91f0212f3b3ad24b211ba18da139
  • 03672dae225aa70a8983aa7d34785f66a35082f364dd1cb3815cd67049437ad7
  • ba2e21641a1238a5b30e535bd0940fcd316a6e5242bfdd48a97aaa203d11642b
  • 85a6ac13510983b3a29ccb2527679d91c86c1f91fdfee68913bc5d3d01eeda2b
  • 74ba5883d989566a94e7c6c217b17102f054ffbe98bc9c878a7f700f9809e910
  • b087a214fb40e9f8e7b21a8f36cabd53fee32f79a01d05d31476e249b6f472ca
  • 91.132.93.235
  • 176.124.33.42
  • 172.86.68.175
  • https://oraclewebonline.com/log.php?computername=
  • https://oraclewebonline.com/log.php.
  • https://bickrickneoservice.com/Z/CERTga.msi
  • http://bickrickneoservice.com/Z/mrcvs.exe
  • http://172.86.68.175:4443/upload
  • http://172.86.68.175
  • microsoft.officeweb.live
  • windowphotoviewer.com
  • pdcunaco.com
  • oraclewebonline.com
  • libreofficeonline.com
  • kimfilippovision.com
  • evtessentials.com
  • bickrickneoservice.com
  • outlook-web.ddns.net
Download all indicators here!

Attack Patterns

  • OLMAPI32.dll
  • Figlio.exe
  • stom.jpg
  • sstn.exe
  • scm.exe
  • schs.exe
  • sparrow.jpg
  • SearchApp.jpg
  • ORPCBackdoor
  • Bitter APT Group
  • T1588
  • T1135
  • T1583
  • T1113
  • T1005
  • T1083
  • T1071
  • T1566
  • T1562
  • T1059