Bitter threat actor group found targeting Pakistani and Saudi Arabian organizations with AstraDownloader variants

• During the initial days, Bitter was targeting Pakistani and Chinese organizations.
• In its latest attack campaign, the threat actor group is using variants of AstraDownloader to inject the BitterRAT trojan into various organizations.

The Southeast Asia threat actor group Bitter, which is active since at least 2015, has expanded its activities recently. The hackers are now targeting organizations in Pakistan and Saudi Arabia using three variants of AstraDownloader.

The big picture - The researchers from Palo Alto Networks Unit 42 found that Bitter threat actor group began its latest attack campaign on Saudi Arabia and Pakistan in September 2018 and continued it till early 2019. During the initial days, Bitter was targeting Pakistani and Chinese organizations.

In its latest attack campaign, the threat actor group was found using variants of AstraDownloader to inject the BitterRAT trojan into various organizations. Initial access was achieved with a spear-phishing attack against an employee at a Saudi Arabian power company on September 12, 2018. Since then, AstraDownloader executables along with several malicious documents have been observed on servers belonging to Pakistani organizations.

“Several malicious documents have been identified, all communicating with likely compromised, legitimate Pakistan websites to retrieve the payload. These websites include those associated with the Pakistan government and other Pakistan organizations,” said Palo Alto Networks Unit 42 researchers in a blog post.

Between November 2018 and January 2019, researchers observed that a website belonging to an engineering and hydraulic company in Pakistan - almasoodgroup[.]com - was hosting two AstraDownloader executables as well as malicious documents used to deliver a payload.

The first file - Port Details.doc - was an RTF document designed to exploit the EQNEDT vulnerability CVE-2017-11882. The second file was used to communicate with command and control domain xiovo426[.]net.

Conclusion - After analyzing several such incidents, Unit 42 is able to define the expanded activities of the Bitter threat actor group. The researchers have identified roughly 80 unique instances of the AstraDownloader malware family. The three variants of AstraDownloader that are specifically used to target Pakistani and Saudi Arabian organizations have been revamped with minor changes, specifically the string obfuscation and HTTP requests.