##### Security
# BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

www.bitdefender.com


-----

#### Contents

Foreword....................................................................................................................................................... 3

BitterAPT: from open-source to custom RAT............................................................................................. 3

Distribution tactics....................................................................................................................................... 5

The Google Play invasion............................................................................................................................ 8

AlarmClockSlide......................................................................................................................................................11

CalculatorTool.........................................................................................................................................................11

CalendarSlide .........................................................................................................................................................11

HardMicApp ...........................................................................................................................................................11

Command and Control servers ................................................................................................................12

A bitter landscape (telemetry) ...............................................................................................................................14

A bitter arsenal... ....................................................................................................................................................15

Appendix: Indicators of Compromise.......................................................................................................21

CnC Domains ..........................................................................................................................................................22

Referenced IOCs from previousresearch .............................................................................................................22

**Authors:**

Oana ASOLTANEI - Security Researcher at Bitdefender

Denis Cosmin NUȚIU - Security Researcher at Bitdefender


Alin Mihai BARBATEI - Team Lead, Cyber Threat Intelligence Lab at Bitdefender


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## BitterAPT: from open-source to custom RAT

The Bitter threat group initially started using RAT tools
in their campaigns, as the first Bitter versions, for
Android released in 2014 were based on the AndroRAT
framework [4][5]. Over time, they switched to a custom
version that has been known as BitterRAT ever since.

A Chinese security firm provided a timeline outlining
the evolution of the mobile version and placed the
earliest-known version of Android Bitter in September
2014 [5].

The oldest sample we have identified in our malware
zoo is 448b8af1a6757aa5b827b382777ab3de, an
application called Misbaha, as indicated in [4]. It has
the internal zip file timestamp of 04 September 2014,
which can be an indicator to support the assumption,
but a closer look at the signing certificate reveals a
validity time of not before 28th Apr 2014. This date is
usually one and the same with the date the certificate
was created and might indicate the first attack could
have begun months before anyone was even aware.

Issuer: C=US, O=Android, CN=Android Debug

Validity

Not Before: Apr 28 07:05:23 2014 GMT

Not After : Apr 20 07:05:23 2044 GMT

By 2016, the Bitter operators started creating their own
custom, more evolved RAT based on AndroRAT. Security
researchers named this variation SlideRAT [5]. The Bitter
malware was distributed via fake applications using
elaborate phishing schemes, as well as a network of
compromised sites that were used to host the malware
itself.

Publicly known variations of fake applications that are
imitated include Dawn News, jamat-ud-dawah, People’s
**Liberation Army News APP,** **China-Super-VPN,** **Ansar**
**Foundation,** **Anyou ID [5],** **Pornhub Premium [1] and**
**Kashmir News [7].**

Interestingly the threat actors have used Kashmir as
bait in the past first in 2014 then in 2019 The 2014


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

the newer version in 2019 (42c2d7aeb8a98df09c624a9605849927 [7]), is named Kashmir Hunt. Coincidence or not,
the years 2014 and 2019 both correspond to elections in the Kashmir region [8].

In our research, we have found previously unmentioned applications targeting religious groups by masquerading as True
**Islam or Saima Eid related applications as well as more generic variations that imitate common applications such as:**
**Voice Mail, chat, image viewers and WhatsApp activators. A version more oriented toward Chinese victims is distributed**
as 蓝光手机防毒高级版本.apk (rough translation of Advanced version of antivirus for blue-light phone).


**APK MD5s** **Package Name** **Distribution Name**


**6d3dcb9ad491628488feb9de6e092144** com.nightstar.islam TrueIslam.apk

**ea3b4cde5ef86acfe2971345a2d57cc0** display.Launcher voicemail.apk

**cbb32c303d06aa4d2dba713936e70f5c** droid.pixels PrivateChat.apk

**ee85b2657ca5a1798b645d61e8f5080c** com.secureImages.viewer.SlideShow ImageViewer360.apk

**692ff450aec14aca235cd92e6c52a960** com.folder.image ImageView.apk

**de931e107d293303dd1ee7e4776d4ec7** com.android.display 蓝光手机防毒高级版本.apk

**d7c21a239999e055ef9a08a0e6207552** com.google.settings SaimaEidPics.apk

**9edf73b04609e7c3dada1f1807c11a33** com.youtube.dwld WhatsAppActivation.apk

The 蓝光手机防毒高级版本 application was most likely used in the 2017 wave against the Chinese Government. The
sample has its creation zip time stripped down, but the certificate Not Before Time indicates 3 Oct 2017 10:12:47 GTM.
This sample also has a slightly different code structure than others at that time. Another odd thing about it is that the
indicated CnC (where it uploads the stolen information) points to http[:]//techfront.com[.]cn/js/gbuilder.
```
php. The domain techfront[.]com[.]cn presumably belongs to a legitimate Chinese company [9]. 

```
The fact that this sample uploads exfiltrated data to that URL implies that the domain has hosted malware at some point.
Likely, the web site was hacked and a malicious script was injected. The Bitter group has been known to hijack sites to
host their malware, but there is no account of a case where it would inject a script that acts as CnC.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## Distribution tactics

Over the years, cross platform Android – Windows Bitter attribution has relied on the same domains being used by the
malware in both scenarios, as well as by victimology [1][4]. The Bitter threat group has been using ArtraDownloader for
its Windows campaign [10] and AndroRAT variations for its Android campaigns.

Worth mentioning is that the group has delivered malware for both Windows and Android via the same hacked sites.
[For instance, the legitimate cultural website gandharaart[.]org, at this moment still hosts both the Windows and Android](http://www.gandharaart.org/news/lsasw)
version of the threat.


**Distribution point** **Type**


**[gandharaart.org/news/lsasw](http://www.gandharaart.org/news/lsasw)** Windows ArtraDownloader used by Bitter

**[gandharaart.org/images/IM/ImageViewer360.apk](http://www.gandharaart.org/images/IM/ImageViewer360.apk)** Android AndroRAT variation used by Bitter

The attribution of ArtraDownloader to the Bitter APT group, as well as the presence of the Windows threat variation on
the gandharaart[.]org have been documented by several security-related organizations [10][6].

Other BitterRAT distribution points, identified in previous research [1], are still active. One such distribution
point is `http[:]//spiceworld.rf[.]gd/Premium.php from which` **P-Hub Premium.apk (APK MD5:**
```
1d2e23effc225880cadb7ee56dff25cf) is still delivered. The site spiceworld.rf.gd appears to be a makeshift

```
webpage.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

The threat actors most likely created a basic site for use as a malware distribution point. It points to 185.27.134.139

- a data center hosting several other sites. Over time this IP has hosted several distribution points for other threats,
targeting both Android and Windows.

The Bitter threat group is believed to operate out of a country in South Asia [6][12]. We attempted to confirm this by
running the “timestamp test” as indicated by the APKs inner zip file time. For most samples, this information was stripped
from the APK containers. Instead of the missing information, we used the certificate creation time of all certificates used
to sign BitterRAT malware, as well as the zip file time for samples that did not have it stripped.

When a certificate is generated, the GMT time is saved. To test the theory that the threat group is in a South Asian
country, we added extra hours to match Indian Standard Time (UTC+05:30). Zip file time is local time, so no alteration
was needed.

The exact date was used and determined what day of the week it was at that time and plotted as shown further:


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

**Build time plotted to Indian Standard Time**

The resulting chart indicates that Bitter APT threat group works predominantly from Monday to Friday and 09:00 to
17:00. They avoid working on Saturdays and, on occasion, have been shown to do some work on Sundays.

Other variations of time zones would also place their activity within regular business hours for an organization. If plotted
against Pakistan Standard Time (GMT+5), we get the following (some points of the chart do not change because they
were local time when stored).

**Build time plotted to Pakistan Standard Time**

These charts show that the Bitter APT threat group is working on a time zone that covers UTC+5 and UTC+6, which
reinforce the idea that the group is somewhere in South Asia.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## The Google Play invasion

Analysis of the sample `42c2d7aeb8a98df09c624a9605849927 (Kashmir_news.apk), which is an already known`
application attributed to the Bitter APT Group [7], led us to discover an alarming set of samples currently active on Google
Play.

Signed with the same certificate and sharing the same package name (com.clocknews.update), we found the application
[AlarmClockSlide at https://play.google.com/store/apps/details?id=com.clocknews.update](https://play.google.com/store/apps/details?id=com.clocknews.update)

The same developer, CreativeFox, has 5 other applications listed on Google Play Store.

Besides the certificate connection between the BitterRATKashmir_news.apk and the AlarmClockSlide on Google Play,


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

exception, namely HardMicApp which has no BitterRAT correspondent). These applications do not have data-exfiltration
capabilities, but the APT threat group can easily weaponize them by delivering an update, for instance.

Not all applications are signed with the same developer certificate, but the certificate strings are all variations and
wordings of Karachi, Phase 3 DHA Clifton CreativeFox, Development, Developer.


**Certificate strings**


C=PK, ST=Karachi, L=75/6D Phase3 DHA Clifton Karachi Pakistan., O=CreativeFox pvt. ltd.,
OU=Developer, CN=CreativeFox

C=PK, ST=Karachi, L=75/6D Phase3 DHA Clifton, O=CreativeFox Pvt Ltd, OU=Development Unit,
CN=CreativeFox

C=PK, ST=Karachi, L=75/6D Phase 3 DHA Clifton, O=CreativeFox pvt. Ltd., OU=Developer,
CN=CreativeFox

C=PK, ST=Karachi, L=Clifton, O=CreativeFox pvt ltd, OU=Developer, CN=CreativeFox

C=PK, ST=Karachi Pakistan, L=75/6D Phase 3 DHA Clifton, O=CreativeFox pvt ltd, OU=Research and
Development Unit, CN=CreativeFox

C=PK, ST=Karachi, L=75/6D Phase 3 DHA Clifton, O=CreativeFox pvt. Ltd., OU=Developer,
CN=CreativeFox

It is worth mentioning that this type of polymorphing certificates was already used in the past by the Bitter APT group. Our
analysis concluded that the following samples, distributed during the 2017-2018 waves, also share a similar polymorphic
certificate structure.


**Distribution** **Certificate creation time** **Certificate strings**


**TrueIslam.apk** 2017.04.12 10:14 GTM C=31, ST=Nederland, L=Rotterdam, O=IntelliS,
OU=IntelligentIslam, CN=Mark Reader

**Image_Viewer.apk** 2018.06.09 11:00 GTM C=31, ST=Nederland, L=Rotterdam, O=IntelliJ,
OU=Intelligent Image Viewer, CN=Mark Reader

**voicemail.apk** 2017.12.12 9:10 GTM C=31, ST=Nederland, L=Rotterdam, O=IntelliErr,
OU=IntelligentSilent, CN=George Michael

Analysis of the Google Play developer CreativeFox continues.

All websites and privacy pages of the applications point to thew64binautoclean[.]org domain. The domain was
registered on 2019-08-30 and expires on 2020-08-30. We also see that it runs the control panel (cpanel) addon.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

It is obvious that some amount of importance and effort have been directed by the Bitter APT group into developing this
site.

When further investigating the privacy policies for the applications we find the following:


**Application** **Last updated on Play** **Privacy page**


**CalendarSlide** 2019.09.11 https://creativefox.w64binautoclean.org/

**ZeroCross** 2019.09.27 http://zerocros.w64binautoclean.org/privacy.html

**CalculatorTool** 2019.11.14 https://w64binautoclean.org/calculatorslide/CalculatorSilent/

**AlarmClock** 2019.11.30 https://w64binautoclean.org/AlarmClock/privacy.html

**HardMicApp** 2020.02.11 https://w64binautoclean.org/creativefox/HomoPhonic/privacy.html
As a side note, the oldest application, CalendarSlide, was uploaded to Google Play less than 2 weeks after the domain
was registered.

The threat group is known to target Pakistani officials, among others. There are some indicators in the code of the
applications and on the Google Play pages related to the CreativeFox author, that support the assumption that these
applications were made to mainly target Pakistani victims.

The developer lists the address in Pakistan, and we found strings corresponding to all 5 Islamic prayer times Fajr,
Dhuhr, Asr, Maghrib and Isha [11] in the HardMicApp application stored in a variable called Prayers. Although they
are not used, we believe the developers initially wanted to create an Islamic Prayers application,as the strings are
found with the Alarm suffix: “FajrAlarm”, “DhuhrAlarm”, “AsrAlarm”, “MaghribAlarm”, “IshaAlarm”. This would hint at
functionality for setting up a reminder for prayer time. Eventually the developers chose to develop a recording app, but
forgot the strings inside the new app.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

### AlarmClockSlide

The indicated malicious version is unlikely to be the exact one to replace the clean app, given that they share the same
version code and Google Play developers are required to increment it with each update, but that is easily fixable. Both
are signed with the same developer certificate (certificate SHA1: c484368c8900627dcc549f5e494a9bf9ec0b35e0)


`3f1e5cb139b50e6cfe2efa583ded83ed` com.clocknews.update 1 1.0 Clean on Play

`42c2d7aeb8a98df09c624a9605849927` com.clocknews.update 1 1.0 Bitter malware


### CalculatorTool

Both the clean version and the weaponized version are signed with the same certificate. No alterations would be
needed when the group choses to issue the update.

###### ZeroCross

This application is a basic tic-tac-toe game.


**Status** **Clean on Play Store** **Bitter malware**

**MD5** 39ff842a2c758bf336af852186c1404a

**Packagename** eu.blitz.conversations

**Cert SHA1** 0f1ea13d9a1c1cf6c35a610bb83c92a81f818a8b 04bd724eddb08c5cd3a37151899bbd1f78f44582

**Version** 1 329

|MD5 Packagename Cert SHA1 Version|39ff842a2c758bf336af852186c1404a 0e1db2219402ec254b150a4f6d8b0b02 eu.blitz.conversations 0f1ea13d9a1c1cf6c35a610bb83c92a81f818a8b 04bd724eddb08c5cd3a37151899bbd1f78f44582 1 329|
|---|---|


### CalendarSlide


**Status** **Clean on Play Store** **Bitter malware**

**MD5** 95c1925c7db67f2686fbbdd333844217

**Packagename** com.picture.guard.view

**Cert SHA1** 0d1c4b9f0bc704169ea5de6c946deb79bd66529d af094b0538baafcc7e8c1027853931d57e26c8c7

**Version** 1 10

|MD5 Packagename Cert SHA1 Version|95c1925c7db67f2686fbbdd333844217 68f0fb35fa7ad061b621a6b4c48155b2 com.picture.guard.view 0d1c4b9f0bc704169ea5de6c946deb79bd66529d af094b0538baafcc7e8c1027853931d57e26c8c7 1 10|
|---|---|


### HardMicApp

No Bitter weaponized sample has been found for this application yet.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## Command and Control servers

Besides the known Bitter-related CnCs, we also found five new domains in the mentioned samples used to exfiltrate user
personal data.

**Exfiltration Site** **Observation**

**http://blitzchatlog.ddns.net/Hide/silent.php** URL still active

**http://playupdateapp.serveblog.net/Youtube/home.php** DNS returns IP for domain but timeout

**http://techfront.com.cn/js/gbuilder.php** Injected malware in legitimate site

**https://phoneshieldnet.com/phoneshieldapp/health.php** Last seen active in 2020-03-28

**https://mypicks4u.com/chitchatbox/chitchat.php** URL still active

The **blitzchatlog.ddns.net domain resolves to 23.83.133.67. This IP belongs to the US hosting and cloud services**
company Leaseweb.

The same server is used to provide resources for some of the applications. Bitter sample (MD5 hash
```
6d3dcb9ad491628488feb9de6e092144) TrueIslam.apk, for example, downloads from http://
blitzchatlog[.]ddns[.]net/Islam/ various religious mp3 files and propaganda posters, in accordance with its

```
guise.

|Exfiltration Site Observation http://blitzchatlog.ddns.net/Hide/silent.php URL still active|Col2|
|---|---|
|http://playupdateapp.serveblog.net/Youtube/home.php|DNS returns IP for domain but timeout|
|http://techfront.com.cn/js/gbuilder.php|Injected malware in legitimate site|
|https://phoneshieldnet.com/phoneshieldapp/health.php|Last seen active in 2020-03-28|
|https://mypicks4u.com/chitchatbox/chitchat.php|URL still active|


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

Other artifacts can be found on the server.

The server also contains several .php files, each serving different data. For example, blitzchatlog.ddns[.]net/Hide/
**displayLink.php servers the following message:**

**blitzchatlog.ddns[.]net/Hide/displayLinkfacebook.php servers the following message:**


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

Those variations of Bitter that connect to this domain uses these displayLink services to determine their behavior. For
example, (ea3b4cde5ef86acfe2971345a2d57cc0) on start will connect to Hide/displayLink.php. If the first line of
the output contains a display (it does) it will show a toast with the second line (Welcome) and open the third line (www.
facebook.com).

We believe /Islam/true.php and /Hide/silent.php serve the same purpose. These are used as exfiltration points where
BitterRAT would upload information stolen from victims, with each URL possibly corresponding to a different threat
campaign. The CnCs also keep track of a victim using the phone’s IMEI and the SIM number as a makeshift user ID when
contacting such exfiltration points.

_An example of a POST request made to the server:_
```
blitzchatlog.ddns[.]net/Hide/silent.php?IMEI=123412341234123&SIMNO=12345678901234567890

```
The following image shows the Bitter IP – domain mapping.

### A bitter landscape (telemetry)

The group usually targets important figures and organizations from Asian countries, Pakistan and China being among their most
common targets. [1][3] Our telemetry readings indicate the presence of BitterRAT in Asia, with most scans coming from China, Hong
K d Si


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

### A bitter arsenal...

Bitter APT group initially started using AndroRAT as their Android malware (similar to how ArtraDownloader is used for
the Windows platform). Over time they changed to a custom version, which we have named BitterRAT (other security
researchers prefer the name SlideRAT[5]).

BitterRAT has several modules tailored for spying and stealing personal user information. A full version can exfiltrate
information such as:

- calls recordings

- call history

- SMS messages

- location

- accounts

- device specific information

- installed applications list

- documents and files

- WhatsApp messages and call logs

- BBM messaging app (former BlackBerry messenger)

A more in-depth analysis is focused on APK 0e1db2219402ec254b150a4f6d8b0b02, ChitChatBox application. This
application was signed with an apparent debug certificate and had un-obfuscated code.

**Cert generation time** **Certificate strings**

Aug 30 07:50:23 2019 GMT CN=Android Debug, O=Android, C=US

We believed it was somehow, unintentionally, leaked by the authors.

This version has the CnC at mypicks4u[.]com/chitchatbox/chitchat.php

[The malware code is shipped together with an older version of the open source Conversations Android chat application.](https://github.com/iNPUTmice/Conversations)

When opening the application for the first time, the user is greeted by a screen to verify their phone number. Verification
is done using a standard 2FA API (phone number is not leaked here).


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

After the phone number verification succeeds, the user gets redirected to the ConversationsActivity, which is also present
in the open source application. However, in this version, the code is modified to request accessibility permissions for
malicious purposes.

The user can’t continue unless the requested permission is granted.

By analyzing the Config class, we can see that the malware authors changed the email address under the variable
BUG_REPORTS to support[@]chaatchitt.com. The legitimate chat application has a different email address there.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

The chaatchitt.com domain was registered on 2019-08-21 and a DNS SOA record links it with the email vera_ariel1992[@]
**protonmail.com.**

While the authors decided to include a lot of Android libraries that aren’t used, the malware code is conveniently placed
in the eu.blitz.conversations.runner package, a package that does not exist in the open source version of Conversations.

One of its specialized exfiltration modules can steal the user’s WhatsApp and BBM (former BlackBerry messenger)
messages using the phone’s accessibility features (ExtractionManager.Accessibility). As far as we can tell, the fact that
**_Bitter group targets BBM messaging application has not been previously disclosed. Although BBM was discontinued in mid-_**
2019 [2], it is apparently still used by Bitter’s victims of interest often enough to have it targeted.

The WhatsApp module is slightly more advanced, as it keeps track of all the user’s voice and video call logs, making it
possible to exfiltrate them later.

One of the modules (ResourceChannelRecord) can record with the user’s phone microphone, which gets turned on
whenever the user receives or makes a call. Voice recordings of the calls are then exfiltrated to the server.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

With regards to the exfiltration module that siphons device information (ResourceCMCASA), among data that is usually
collected (network details, IMEI, mobile phone number and others) we see that the Bitter group is also interested in
learning whether the victim is in Roaming mode and discovering their Voice Mail Number.

_We have already identified a sample that is distributed as voicemail.apk; Voice Mail Number may be of a higher importance_
_than previously thought, and the fact that roaming information is collected indicates that Bitter APT group is particularly_
_interested if their targets are currently abroad._

Another interesting module (ResourceFindexFetch) scans the device for files - more specifically for .pdf, .txt, .xml, .doc,
**.jpg, .gif, .png, .bmp, .xls, .webp, .amr, .docx, .apk, .reco - and uploads metadata information to the server. The server**
can also request a specific file from the device to be uploaded if it is considered of interest.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

BitterRAT samples usually have the server address hardcoded inside files. Newer versions are instructed to retrieve the
CnC from a Firebase database.

Version ImageView.apk (692ff450aec14aca235cd92e6c52a960) retrieves the CnC from the Firebase URL simple**chat-9b74d.firebaseio.com.**

Because of improper configuration of the Firebase database, the entire content could be dumped. The only CnC domain
available is flashnewsservice.org.

{“domain”: {“url”:”https://flashnewsservice[.]org/CloudVault/”}}

The domain has already been attributed to the Bitter APT campaign [1], although a corresponding sample connecting to
it and the firebase behavior was previously undocumented.

Certificate creation time indicates January 2020 as the creation time. This is the newest sample we have obtained,
although it is not the most complex.

**Cert creation time** **Certificate strings**

**Jan 3 08:43:26 2020 GMT** CN=Android Debug, O=Android, C=US

All BitterRAT samples share a similar structure in terms of overall exfiltration components and utilities, except for one:
```
9edf73b04609e7c3dada1f1807c11a33 (distributed as WhatsAppActivation.apk). This application, despite sharing

```
its CnC with two other “classic” samples with spyware abilities, has an entirely different, underdeveloped structure, which
hints that it might be another test app leaked by the malware author by mistake.

Another interesting observation: voicemail.apk has an inner package named TODOFeatures. This package name is the
same module responsible for exfiltrating WhatsApp and BBM messages and call logs in newer versions.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

There are code similarities between the versions currently on Play, even without the exfiltration capabilities.

- The ZeroCross application shares a component with the same java package name as the malicious ChitChatBox.

- HardMicApp, a sound recording application, has a lot in common with ChitChatBox; 32% of ChitChatBox’s code base
is found in HardMicApp (where it accounts for 48% of the app).
Besides some commonly used shared libraries, they also share the SecurityManager class, a wrapper over shared
preferences. This class contains a Prayers array of strings corresponding to all 5 Islamic prayer times; Fajr, Dhuhr,
Asr, Maghrib and Isha [11]. The array is not used in this version of the application.

Another common package among HardMicApp, ChitChatBox BitterRAT and the ImageView.apk BitterRAT is the otp
package, which contains the RequestPhoneActivity and VerifyPhoneActivity components. In all mentioned versions,
this package contains ChitChatBox references, e.g. “eu.blitz.conversations.phone”.


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## Appendix: Indicators of Compromise

New BitterRAT samples hashes from this research

**APK MD5s** **Package Name** **Distribution Name**

6d3dcb9ad491628488feb9de6e092144 com.nightstar.islam TrueIslam.apk

f92ed513fb83e7418654c4ee2a89bed5 Secure.ImageViewer Image_Viewer.apk

ea3b4cde5ef86acfe2971345a2d57cc0 display.Launcher voicemail.apk

cbb32c303d06aa4d2dba713936e70f5c droid.pixels PrivateChat.apk

ee85b2657ca5a1798b645d61e8f5080c com.secureImages.viewer.SlideShow ImageViewer360.apk

68f0fb35fa7ad061b621a6b4c48155b2 com.picture.guard.view

4987f36c8c90ef2075e41f8a2964754f tool.calculator

692ff450aec14aca235cd92e6c52a960 com.folder.image ImageView.apk

0e1db2219402ec254b150a4f6d8b0b02 eu.blitz.conversations

de931e107d293303dd1ee7e4776d4ec7 com.android.display 蓝光手机防毒高级版本.apk

b0d55ccc06573230f2f74b9e85b5a6c9 com.nightstar.phoneshield

d20c6731e278a1d3202b4caa0902afa8 google.comgooglesettings Dawn News Official.apk

d7c21a239999e055ef9a08a0e6207552 com.google.settings SaimaEidPics.apk

9edf73b04609e7c3dada1f1807c11a33 com.youtube.dwld WhatsAppActivation.apk

Bitter APK versions without malicious payload


**APK MD5**

```
3f1e5cb139b50e6cfe2efa583ded83ed
b1c2124f785d75220be3382aeb091835
39ff842a2c758bf336af852186c1404a
95c1925c7db67f2686fbbdd333844217
f40b2c3faa6a25a3a34e1d187a8d9de5
8003dca1ece8b82419f916e81b1ed368
c789eb63e852eed12758a3d53b5f51c7
7ac0421755ed01fb2203dc85fc19374a 
ff281c84cf10cc8fb40dab1f261523df

```

-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

### CnC Domains

**BitterRAT domains**

blitzchatlog.ddns.net

phoneshieldnet.com

mypicks4u.com

playupdateapp.serveblog.net

**BitterRAT exfiltration points**

http://blitzchatlog.ddns.net/Hide/silent.php

http://techfront.com.cn/js/gbuilder.php

https://phoneshieldnet.com/phoneshieldapp/health.php

https://mypicks4u.com/chitchatbox/chitchat.php

http://playupdateapp.serveblog.net/Youtube/home.php

### Referenced IOCs from previousresearch

**APK MD5**
```
8aff67a6b4f3e398b912f8405beb5319
448b8af1a6757aa5b827b382777ab3de
42c2d7aeb8a98df09c624a9605849927
1d2e23effc225880cadb7ee56dff25cf

```

**URL** **Meaning**


spiceworld.rf.gd CnC Domain

flashnewsservice.org CnC Domain

gandharaart.org/news/lsasw Windows Bitter APT malware distribution point


-----

BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool

## References

[[1]https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html](https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html)

[[2] https://gulfnews.com/business/etisalat-blackberry-services-no-longer-available-from-march-10-in-uae-1.1582117767276](https://gulfnews.com/business/etisalat-blackberry-services-no-longer-available-from-march-10-in-uae-1.1582117767276)

[[3] https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations](https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations)

[[4]https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan](https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan)

[[5]https://blogs.360.cn/post/analysis_of_APT_C_08.html](https://blogs.360.cn/post/analysis_of_APT_C_08.html)

[[6] https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html](https://meltx0r.github.io/tech/2019/09/06/bitter-apt-not-so-sweet.html)

[[7] https://twitter.com/h4ckak/status/1224265173764100098](https://twitter.com/h4ckak/status/1224265173764100098)

[[8] https://en.wikipedia.org/wiki/Elections_in_Jammu_and_Kashmir](https://en.wikipedia.org/wiki/Elections_in_Jammu_and_Kashmir)

[[9] https://www.linkedin.com/company/%E5%8C%97%E4%BA%AC%E5%8C%97%E5%A4%A7%E5%8D%83%E6%96%B9%E7%A7%91%](https://www.linkedin.com/company/%E5%8C%97%E4%BA%AC%E5%8C%97%E5%A4%A7%E5%8D%83%E6%96%B9%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8/about/)

[E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8/about/](https://www.linkedin.com/company/%E5%8C%97%E4%BA%AC%E5%8C%97%E5%A4%A7%E5%8D%83%E6%96%B9%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8/about/)

[[10] https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/](https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/)

[[11] https://en.wikipedia.org/wiki/Salah_times](https://en.wikipedia.org/wiki/Salah_times)

[12] [https://www.globenewswire.com/news-release/2019/08/08/1899716/0/en/Anomali-Threat-Research-Team-Discovers-BIT-](https://www.globenewswire.com/news-release/2019/08/08/1899716/0/en/Anomali-Threat-Research-Team-Discovers-BITTER-APT-Phishing-Campaign-Targeting-People-s-Republic-of-China-Government-Agencies.html)

[TER-APT-Phishing-Campaign-Targeting-People-s-Republic-of-China-Government-Agencies.html](https://www.globenewswire.com/news-release/2019/08/08/1899716/0/en/Anomali-Threat-Research-Team-Discovers-BITTER-APT-Phishing-Campaign-Targeting-People-s-Republic-of-China-Government-Agencies.html)


-----

###### Proudly Serving Our Customers Dedicated To Our +20.000 Worldwide Partners
Bitdefender provides solutions and services for small business and A channel-exclusive vendor, Bitdefender is proud to share success with tens of
medium enterprises, service providers and technology integrators. We take thousands of resellers and distributors worldwide.
pride in the trust that enterprises such as Mentor, Honeywell, Yamaha,
**Speedway, Esurance or Safe Systems place in us.** _CRN 5-Star Partner, 4th Year in a Row. Recognized on CRN’s Security 100 List. CRN Cloud_

_Partner, 2nd year in a Row_

_Leader in Forrester’s inaugural Wave™ for Cloud Workload Security_

_More MSP-integrated solutions than any other security vendor_

_NSS Labs “Recommended” Rating in the NSS Labs AEP Group Test_

_3 Bitdefender Partner Programs - to enable all our partners – resellers, service providers_

_SC Media Industry Innovator Award for Hypervisor Introspection, 2nd Year in_ _and hybrid partners – to focus on selling Bitdefender solutions that match their own_
_a Row_ _specializations_

_Gartner® Representative Vendor of Cloud-Workload Protection Platforms_

###### Trusted Security Authority
Bitdefender is a proud technology alliance partner to major virtualization vendors, directly contributing to the development of secure ecosystems with
**VMware, Nutanix, Citrix, Linux Foundation, Microsoft, AWS, and Pivotal.**

Through its leading forensics team, Bitdefender is also actively engaged in countering international cybercrime together with major law enforcement agencies
such as FBI and Europol, in initiatives such as NoMoreRansom and TechAccord, as well as the takedown of black markets such as Hansa. Starting in 2019,
Bitdefender is also a proudly appointed CVE Numbering Authority in MITRE Partnership.

**RECOGNIZED BY LEADING ANALYSTS AND INDEPENDENT TESTING ORGANIZATIONS** **TECHNOLOGY ALLIANCES**

###### UNDER THE SIGN OF THE WOLF

**Founded 2001, Romania** A trade of brilliance, data security is an industry where only the clearest view, sharpest mind and deepest insight can
**Number of employees 1800+** win — a game with zero margin of error. Our job is to win every single time, one thousand times out of one thousand,

and one million times out of one million.

**Headquarters**
Enterprise HQ – Santa Clara, CA, United States And we do. We outsmart the industry not only by having the clearest view, the sharpest mind and the deepest insight,
Technology HQ – Bucharest, Romania but by staying one step ahead of everybody else, be they black hats or fellow security experts. The brilliance of our

collective mind is like a luminous Dragon-Wolf on your side, powered by engineered intuition, created to guard against

**WORLDWIDE OFFICES** all dangers hidden in the arcane intricacies of the digital realm.
**USA & Canada: Ft. Lauderdale, FL | Santa Clara, CA | San Antonio, TX |**
Toronto, CA This brilliance is our superpower and we put it at the core of all our game-changing products and solutions.
**Europe: Copenhagen, DENMARK | Paris, FRANCE | München, GERMANY**
| Milan, ITALY | Bucharest, Iasi, Cluj, Timisoara, ROMANIA | Barcelona,
SPAIN | Dubai, UAE | London, UK | Hague, NETHERLANDS


-----