The threat actor known as Bitter is rated as a state support hacking group tasked with collecting intelligence consistent with the interests of the Indian government.
This is based on new surveys published jointly by Proofpoint and Threatray in a thorough, two-part analysis.
“These diverse toolsets demonstrate consistent coding patterns across the malware family, particularly in system information collection and string obfuscation,” said researchers Abdallah Elsinbery, Jonas Wagner, Nick Atfield and Constantine Klinger.
Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-Papt-17, and TA397, has a history of focusing primarily on South Asian organizations, with choice invasions that are also targeting China, Saudi Arabia and South America.
In December 2024, evidence of targeting turkey threat actors using malware families such as WMRAT and Miyarat revealed, indicating a gradual geographical expansion.
The bitters say they frequently elect “a very small subset of targets,” and assaults target governments, diplomatic entities and defence organizations, allowing information gathering on foreign policy or current affairs.
Attack chains attached by groups usually utilize spear phishing emails to send messages sent from providers like 163[.]com, 126[.]com, and protonmail, and compromised accounts related to governments in Pakistan, Bangladesh and Madagascar.
Threat leaders have also been observed in these campaigns, pose as governments and diplomatic groups in China, Madagascar, Mauritius and South Korea to seduce recipients with attachments covered in malware that cause the deployment of malware.
Overview of Bitter infection chain
“Based on the content and decoy documents adopted, it is clear that TA397 does not disguise itself as governments in other countries, including Indian allies,” the Enterprise Security Company said.
“The targets of TA397 in these campaigns were Turkish and Chinese organizations in Europe, indicating that the group has knowledge and visibility into the legitimate work of Madagascar and Mauritius, and uses materials in spear lessons.”
Additionally, Bitter has been found to engage in keyboard activities in two different campaigns targeting government organizations to drop further enumerations on target hosts such as Kugelblitz and Bdarkrat, which were first documented in 2019.
It has standard remote access trojan features such as collecting system information, running shell commands, downloading files, and managing files on compromised hosts.
Bitter’s Malware Family
Some of the other known tools in that arsenal are below –
ARTRADOWNLOADER is a C++-written downloader that collects system information, downloads and runs a remote file keylogger using HTTP requests, and records keystrokes and clipboard content WSCSPL backdoors, which are C++ modules used in various campaigns. (aka ZXXZ), a Trojan horse that allows remote code execution of payloads received from the remote server Almond Rat, a .NET Trojan horse that provides basic data collection capabilities and the ability to run any commands and execute any file, a backdoor ORPCBACKDOOR that communicates with Operator-control using the RPC protocol (Kiwistealer) is a steeler that searches for files that match a set of predefined sets of extensions, and removes them to the remote server Kugelblitz, a shellcode loader that has been changed within the past year and is used to deploy the HAVOC C2 framework.
It should be noted that Orpcbackdoor comes from a Sec 404 team known to threat actors called mysterious elephants, who overlap with other Indian-lined threat clusters such as Sidewinder, Patchwork, Confucius, and Bitter.
The analysis of hands-on keyboard activity highlights “working hours schedule from Monday to Friday in India’s Standard Time Zone (IST).”. This coincides with the time when WHOIS domain registration and TLS certificate issuance occurs.
“TA397 is a threat actor focused on espionage, which is highly likely to operate on behalf of India’s intelligence reporting agency,” the researcher said. “There are clear indications that most infrastructure-related activities will occur during standard opening hours in the IST time zone.”
Source link
