{ "id": "7b09d2c4-4587-4b69-98ae-dfd60fbc699c", "created_at": "2026-04-06T00:08:56.455629Z", "updated_at": "2026-04-10T13:11:54.253512Z", "deleted_at": null, "sha1_hash": "945abafd9df657f9b06cf1c8f3551ba3a7c0151c", "title": "Bitter APT continues to target Bangladesh | SECUINFRA Falcon Team", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2095458, "plain_text": "Bitter APT continues to target Bangladesh | SECUINFRA Falcon Team\r\nPublished: 2022-07-05 · Archived: 2026-04-05 18:49:50 UTC\r\nKey Findings\r\nOverview\r\nAnalysis\r\nHosting Infrastructure / Network Indicators\r\nYara Rules\r\nIndicators of Compromise\r\nMITRE ATT\u0026CK TTPs\r\nConclusion\r\nKey Findings\r\nThe SECUINFRA Falcon Team identified a recent attack consitent with the campaign targeting Bangladesh\r\nconducted by the advanced persistent threat group “Bitter”, also known as T-APT-17.\r\nBitter employs malicious document files as lures containing different implementations of the so-called “Equation\r\nEditor exploits” to download following malware stages.\r\nThe second stage consists of a Loader, which gathers information about the infected system and retrieves the third\r\nstage from a remote server.\r\nThe third stage of a Bitter attack can feature different types of Malware e.g. Keyloggers, Stealers or Remote Access\r\nTrojans (RATs). We analyzed one of the newer utilized RATs, which we refer to as “Almond RAT”.\r\nOverview\r\nThe Bitter APT group is said to be active since at least 2013 was first reported about by Forcepoint Labs in 2016 when it\r\nwas primarily targeting Pakistan. The threat group is suspected to be located in southern Asia. Even back then the group was\r\nusing spearphishing emails to exploit Microsoft Office (e.g. CVE-2012-0158) and download additional malware, so\r\ncompared to their attacks today their modus operandi has not changed at all. Occasionally they also target Android devices\r\nwith Remote Access Trojans, as reported by BitDefender in 2020.\r\nIn Februray of 2019 Palo Alto Networks documented Bitter attacks using a second stage Downloader dubbed\r\n“ArtraDownloader” which has been in use since 2017. Also Chinese and Saudi Arabian organizations were added to the list\r\nof targets.\r\nAs discovered by Cyble and Kaspersky in 2021 the Bitter group is also capable of more than just old Office exploits, for\r\nexample abusing 0-day vulnerabilities like a Windows Kernel vulnerability (CVE-2021-1732) and a vulnerability in the\r\nWindows Desktop Window Manager (CVE-2021-28310) for privilege escalation.\r\nIn May 2022 Cisco Talos shared an Analysis of a new Bitter campaign targeting users in Bangladesh starting in October\r\n2021 up to February 2022 with a new-ish second stage downloader called “ZxxZ”.\r\nThis report builds on the findings published by Talos and covers an attack presumabily conducted in mid May 2022.\r\nShortly before the completion of this report the Qi Anxin Threat Intellingence Center published a report on recent Bitter\r\nactivities targeting military branches of Bangladesh. They also mentioned the RAT sample analyzed in this blog post.\r\nOn the 4th of July @c3rb3ru5d3d53c released a report about a Bitter campaign targeting Pakistan. In addition to many\r\nanalysis steps that match our approach, it was also demonstrated how the ZxxZ Downloader could be used with a custom C2\r\nserver.\r\nAnalysis\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 1 of 20\n\nExcel Maldoc\r\nThe sample of the malicious Excel document (1bf615946ad9ea7b5a282a8529641bf6) was obtained through the public\r\nAny.Run Sandbox service. As with previous campaigns conducted by Bitter the file was likely distributed via a\r\nspearphishing email, which is not available for Analysis. The sample was previously mentioned by Simon Kenin (k3yp0d)\r\non Twitter.\r\nThe filename of the document reads “Repair of different csoc cstc, china supplied system – BNS BIJOY.xls”. The\r\nabbreviations csoc and cstc likely stand for “China Shipbuilding \u0026 Offshore International Co. Ltd” and “China Shipbuilding\r\nTrading Co. Ltd” respectively and BNS Bijoy is the name of a “Castle-class guided missile corvette” (small warship) of the\r\nBangladesh Navy (Wikipedia).\r\nThe document does not contain readable content on the topic the filename suggests, only a white rectangle image and\r\nunicode characters, which should alert victims that it is not a legitimate document. As soon as the file is opened the Equation\r\nEditor exploit, which we identified as CVE-2018-0798, is executed.\r\nFigure 1: Visible contents of the Excel document\r\nWithout alerting the user in any way the Equation Editor is started in the background and used to download the next\r\nmalware stage and execute it. By tracing the Process Tree with ProcMon we can see that the downloaded binary is written to\r\nC:\\$Drw\\fsutil.exe and executed by the Windows Explorer.\r\nFigure 2: Process Tree of Equation Editor\r\nTo extract information from the Maldoc we opted for a dynamic approach first. By registering a debugger for the Equation\r\nEditor executable via gflags.exe, which is part of the Windows SDK, we are able to attach x32dbg to the process once the\r\nExcel document is opened (this technique was showcased by Colin Hardy for CVE-2017-1182).\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 2 of 20\n\nFigure 3: Registering a debugger for Equation Editor\r\nSince Excel is waiting on the Equation Editor to exit, our debugging session will unfortunately be ended after a fixed\r\namount of time with the error message below, so we will have to approach it differently.\r\nFigure 4: Error dialog while debugging Equation Editor\r\nWith the well-known oledump tool developed by Didier Stevens we can take a look at the data streams inside the Excel file.\r\nIn this case the stream A4, which is named Equation Native is of particular interest for us.\r\nFigure 5: Viewing the contents of the Excel file with oledump\r\nBy specifying the stream and the -d parameter we can dump it to analyze it further.\r\nFigure 6: Dumping the Equation stream\r\nOpening the dumped file in a hex editor we can visually identify two different segments of data. Highlighted in green we see\r\ndata that is likely the shellcode required for the Equation Editor exploit. Since there are next to no readable ASCII strings in\r\nthere (looking closely we can spot fragments that look like “URL” or “http”) this data is likely encoded or encrypted in\r\nsome way. Below that we can see data in a repeating pattern which is used as padding for the memory corruption exploit\r\nCVE-2018-0798.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 3 of 20\n\nFigure 7: Analyzing the shellcode in a Hex editor\r\nIn an attempt to decode the shellcode portion of the data we ran a frequency analysis (a very useful feature of the Okteta hex\r\neditor) on it to determine which values occur the most, since in a 2019 report by Sophos Labs a maldoc builder for CVE-2018-0798 was analyzed which implements a XOR-based encoding for the shellcode. For this maldoc the most frequent\r\nbyte is FF so we assume that this could be encoded null bytes and therefore FF could be the key in a single-byte XOR\r\nencoding.\r\nFigure 8: Running frequency analysis on the shellcode\r\nUsing Cyberchef with the presumed shellcode section and XOR key does yield readable strings. From here we can extract\r\nimportant information about the executed shellcode and indicators like the URL for the next malware stage.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 4 of 20\n\nFigure 9: Decoding the XOR-ed shellcode\r\nThe visualization below shows the most important API calls made in the shellcode:\r\nFigure 10: Graph showing the functionality of the maldoc shellcode\r\nBy debugging the Equation Editor exploit again and manually placing a breakpoint on e.g. URLDownloadToFileA we can\r\nconfirm these findings.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 5 of 20\n\nFigure 11: Manually loading urlmon.dll to place a breakpoint on URLDownloadToFileA\r\nThe download query to emshedulersvc[.]com/vc/vc returns a sample of Bitters second stage Downloader, which we will\r\ninvestigate next.\r\nFigure 12: Breaking on URLDownloadToFile\r\nZxxZ / MuuyDownloader\r\nSince approximately the second half of 2021 Bitter switched from their second-stage ArtraDownloader to a new, but similar\r\nimplementation named “ZxxZ” by Talos and “MuuyDownloader” by Qi Anxin Threat Intelligence Center. It is implemented\r\nin Visual C++ and does not appear to be packed on first inspection. The compilation timestamp suggests this binary was\r\nbuilt on the 11th of May 2022, which matches the timeframe for the malicious document.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 6 of 20\n\nFigure 13: Detect it Easy parsing the PE file, Entropy graph\r\nComparing this fingerprinting function to the one documented by Cisco Talos we can see that Bitter abandoned the ZxxZ\r\nvalue separator (that gave the Downloader its name) in exchange for a simple underscore. This was possibly done to avoid\r\ndetection through IDS/IPS systems based on this very specific separator. Looking back at older Bitter Research we can see\r\nthat the threat group likes to change up these patterns from time to time to avoid detection.\r\nFigure 14: ZxxZ gathering system information\r\nThe check-in with an attacker-controlled staging server contains the user account and hostname of the system. The function\r\nbelow manually assembles the HTTP GET request and sends it via a socket connection to the C2 server.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 7 of 20\n\nFigure 15: ZxxZ sending a GET request with the host fingerprint to the C2\r\nWe verified this network communication using packet captures. Another common indicator across Bitter infrastructure is the\r\nuse of the LiteSpeed web server, which has been documented in older reports as well.\r\nFigure 16: Packet capture of the GET request above\r\nAfter retrieving the next malware stage from a staging server ZxxZ writes the binary to the disk and tries to execute it. In the\r\nscreenshot below we can see that the Bitter group altered the C2 opcode strings that Talos had previously documented as\r\nDN-S (download success) and RN_E (run error) to just S and F, presumably short for Success and Failure. This is likely\r\nanother measure to evade older detection rules. The payload execution was also changed to use CreateProcessA instead of\r\nShellExecuteA like in the older version of ZxxZ.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 8 of 20\n\nFigure 17: ZxxZ retrieving and executing the next stage\r\nUnfortunately the actual payload could not be retrieved from the staging server as it only returned an empty file named\r\nCAPT.msi.\r\nFigure 18: Request made to another staging server for the third stage\r\nAlmond RAT\r\nInformation on the Remote Access Trojans (RATs) deployed by Bitter (with one commonly referred to as BitterRAT) is\r\nlimited and sometimes contradictory. We found that Bitter deploys different RAT implementations / variants depending on\r\nthe scenario and target.\r\nIn this case we analyzed a sample of a .NET-based RAT that we were not able to identify through previous reports or open\r\nsource repositories. For the lack of an existing detection and a better name we will refer to it as “Almond RAT” for this\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 9 of 20\n\nanalysis. The sample was first mentioned by the Twitter user @binlmmhc. The recent report by Qi Anxin mentioned above\r\nrefers to this RAT only as “lightweight remote control”.\r\nFigure 19: Detect it Easy parsing the Almond RAT PE file\r\nBasic functionality\r\nThe main function of the RAT checks for the mutex string saebamini.com SingletonApp before calling the StartClient\r\nfunction. Turns out even skilled threat actors need to look up the really simple things sometimes: in this case a short tutorial\r\nabout Allowing Only One Instance of a C# Application to Run which uses this same mutex string. As always they copied\r\nonly half of the answer and forgot to include the call to ReleaseMutex at the end…\r\nFigure 20: Main function, setting a Mutex\r\nAlmond RAT employs string encryption to hinder detection and reverse engineering. Important / revealing strings like the\r\nCommand\u0026Control (C2) IP address below are therefore wrapped in the ciphertext.Decrypt function.\r\nFigure 21: StartClient fuction, showing the AES string encryption\r\nThe decryption function implements a default AES-256-CBC encryption scheme where the IV and key are derived from the\r\ngiven plaintext password via PDKDF2. Since it is trivial to reimplement this in e.g. Python we decrypted all of the\r\nencrypted strings in the binary and modified the .NET assembly to increase code readability for this report. The file hashes\r\nof the unaltered and modified binaries can be found in the IoC section at the end of the post.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 10 of 20\n\nFigure 22: String decryption function using AES CBC\r\nThe StartClient function implements the socket-based C2 communication interface for Almond RAT. In the samples we\r\nobserved there were no domains or dynamic DNS services but only IPv4 addresses used to connect back to the threat actors.\r\nA characteristic property of the RAT is the usage of the tcp port  33638 . When first contacting the C2 server Almond RAT\r\ntransmits gathered system information like hostname, OS version, internal IP address and MAC address and storage\r\nidentifiers (disk info is not transmitted) to fingerprint the infected system. A 1024 byte buffer is used for the C2\r\ncommunication.\r\nFigure 23: StartClient function\r\nCapabilities \u0026 C2 communication\r\nNext well will further investigate the functionality of Almond RAT.  At the beginning of the StartCommWithServer function\r\nthe RAT sets a random receive timeout between 20 and 30 seconds for the socket. The analyzed sample accepts seven\r\ndifferent commands in total. The REFRESH command is used as a heartbeat signal, letting the C2 server know that the RAT\r\nis still active and will reply with a simple OK.\r\nThe DRIVE command returns a list of connected storage devices.\r\nWith the DELETE* command the attackers can delete accessible files by supplying a path. In case of e.g. insufficient\r\npermissions it will return the exception. The * in the command string is used as a separator between the command and the\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 11 of 20\n\nfile path.\r\nFigure 24: Basic C2 functionality\r\nAlmond RAT allows for the execution of arbitrary commands via a wrapped cmd.exe instance. It has its own\r\nimplementation for directory changes via cd and directory listings via OK. The CMD command uses a tilde instead of an\r\nasterisk to separate the parts of the command.\r\nFigure 25: Command execution\r\nIn addition to the functionality of listing directories and files via the command prompt the RAT also supports a quite\r\ninvolved DIR* command. It is capable of verifying file accessibility and displaying meta data like the last file write-time.\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 12 of 20\n\nFigure 26: Directory and File listings\r\nSince Bitters main objective is espionage they need a way to exfiltrate data to the C2 server from the system, which is done\r\nvia the DOWNLOAD* command.\r\nTo drop more malware or other files onto the system it also supports the UPLOAD* command which uses the following file\r\nnaming scheme: yyyyMMdd-hhmmss_filename\r\nFigure 27: DOWNLOAD* and UPLOAD* functions\r\nIn case the RAT receives an unknown command from the operator it will return the message XXX to indicate the error.\r\nFigure 28: Exception handling in case of an unknown command\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 13 of 20\n\nAlmond RATs main purposes seem to be file system discovery, data exfiltration and a way to load more tools/establish\r\npersistence. The design of the tools seems to be layed out in way that it can be quickly modified and adapted to the current\r\nattack scenario.\r\nHosting Infrastructure / Network Indicators\r\nWHOIS and DNS Records\r\nThe staging server for the Downloader and the staging server for the RAT are hosted with Host Sailor. The\r\nCommand\u0026Control server for the Downloader is hosted with Namecheap and the one for Almond RAT is hosted with\r\nNexeon Technologies. Except for the samples analysed in this report there was no other significant malware activity\r\ndetected with these four domains.\r\nStaging server ZxxZ downloader\r\nDomain emshedulersvc[.]com\r\nRegistrar ENOM Inc.\r\nHoster Host Sailor Ltd.\r\nCreated 10.05.2022 – 91.195.240[.]103\r\nUpdated 12.05.2022 – 194.36.191[.]196\r\nC2 server ZxxZ downloader\r\nDomain huandocimama[.]com            \r\nRegistrar Namecheap Inc.\r\nHoster Namecheap Inc.\r\nCreated 19.08.2021 – 162.0.232[.]109\r\nUpdated N/A\r\nStaging server third stage\r\nDomain diyefosterfeeds[.]com\r\nRegistrar ENOM Inc.\r\nHoster Host Sailor Ltd.\r\nCreated 02.02.2022 – 194.36.191[.]196\r\nUpdated N/A\r\nAlmond RAT C2 server\r\nDomain 64.44.131[.]109\r\nHoster Nexeon Technologies Inc.\r\nASN AS20278\r\nCreated 27.02.2014\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 14 of 20\n\nWhile investigating these DNS entries we also noticed that on the 30.05.2022 a new record for spurshipbroker[.]com on\r\n194.36.191[.]196 was created. This domain seems to be a so-called “typosquat” (impersonation) of spurshipbrokers[.]com,\r\nan Indian Marine Shipping and Transport company. This record stood out between seemingly legitimate webhosting and\r\ntyposquats for banking sites on this Webhost/IP used by Bitter. While we do not have further evidence at this point in time\r\nthat this is related to the Bitter activity it certainly does fit the approach of the group and the Naval-themed lure.\r\nYara Rules\r\nThe Yara rule set we created for this report can be found below, in our Github Repository: SIFalcon/Detection and on\r\nAbuse.ch Yaraify.\r\n/*\r\nYara Rule Set\r\nAuthor: SECUINFRA Falcon Team\r\nDate: 2022-06-23\r\nIdentifier: 0x03-yara_win-Bitter_T-APT-17\r\nReference: “https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh”\r\n*/\r\n/* Rule Set —————————————————————– */\r\nrule APT_Bitter_Maldoc_Verify {\r\nmeta:\r\ndescription = “Detects Bitter (T-APT-17) shellcode in oleObject (CVE-2018-0798)”\r\nauthor = “SECUINFRA Falcon Team (@SI_FalconTeam)”\r\ntlp = “WHITE”\r\nreference = “https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh”\r\ndate = “2022-06-01”\r\nhash0 = “0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450”\r\nhash1 = “bd0d25194634b2c74188cfa3be6668590e564e6fe26a6fe3335f95cbc943ce1d”\r\nhash2 = “3992d5a725126952f61b27d43bd4e03afa5fa4a694dca7cf8bbf555448795cd6”\r\nstrings:\r\n// This rule is meant to be used for verification of a Bitter Maldoc\r\n// rather than a hunting rule since the oleObject it is matching is\r\n// compressed in the doc zip\r\n$xor_string0 = “LoadLibraryA” xor\r\n$xor_string1 = “urlmon.dll” xor\r\n$xor_string2 = “Shell32.dll” xor\r\n$xor_string3 = “ShellExecuteA” xor\r\n$xor_string4 = “MoveFileA” xor\r\n$xor_string5 = “CreateDirectoryA” xor\r\n$xor_string6 = “C:\\\\Windows\\\\explorer” xor\r\n$padding = {000001128341000001128341000001128342000001128342}\r\ncondition:\r\n3 of ($xor_string*)\r\nand $padding\r\n}\r\nrule APT_Bitter_ZxxZ_Downloader {\r\nmeta:\r\ndescription = “Detects Bitter (T-APT-17) ZxxZ Downloader”\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 15 of 20\n\nauthor = “SECUINFRA Falcon Team (@SI_FalconTeam)”\r\ntlp = “WHITE”\r\nreference = ” https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh”\r\ndate = “2022-06-01”\r\nhash0 = “91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42”\r\nhash1 = “90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787”\r\nhash2 = “69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61”\r\nhash3 = “3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3”\r\nhash4 = “fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92”\r\nstrings:\r\n// old ZxxZ samples / decrypted strings\r\n$old0 = “MsMp” ascii\r\n$old1 = “SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion” ascii\r\n$old2 = “\u0026\u0026user=” ascii\r\n$old3 = “DN-S” ascii\r\n$old4 = “RN_E” ascii\r\n// new ZxxZ samples\r\n$c2comm0 = “GET /” ascii\r\n$c2comm1 = “profile” ascii\r\n$c2comm2 = “.php?” ascii\r\n$c2comm3 = “data=” ascii\r\n$c2comm4 = “Update” ascii\r\n$c2comm5 = “TTT” ascii\r\ncondition:\r\nuint16(0) == 0x5a4d\r\nand filesize \u003e 39KB // Size on Disk/1.5\r\nand filesize \u003c 2MB // Size of Image*1.5\r\nand (all of ($old*)) or (all of ($c2comm*))\r\n}\r\nimport “pe”\r\nimport “dotnet”\r\nrule APT_Bitter_Almond_RAT {\r\nmeta:\r\ndescription = “Detects Bitter (T-APT-17) Almond RAT (.NET)”\r\nauthor = “SECUINFRA Falcon Team (@SI_FalconTeam)”\r\ntlp = “WHITE” reference = ” https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh”\r\ndate = “2022-06-01” hash = “55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396”\r\nstrings:\r\n$function0 = “GetMacid” ascii\r\n$function1 = “StartCommWithServer” ascii\r\n$function2 = “sendingSysInfo” ascii\r\n$dbg0 = “*|END|*” wide\r\n$dbg1 = “FILE\u003e” wide\r\n$dbg2 = “[Command Executed Successfully]” wide\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 16 of 20\n\ncondition:\r\nuint16(0) == 0x5a4d\r\nand dotnet.version == “v4.0.30319”\r\nand filesize \u003e 12KB // Size on Disk/1.5\r\nand filesize \u003c 68KB // Size of Image*1.5\r\nand any of ($function*)\r\nand any of ($dbg*)\r\n}\r\nrule APT_Bitter_PDB_Paths {\r\nmeta:\r\ndescription = “Detects Bitter (T-APT-17) PDB Paths”\r\nauthor = “SECUINFRA Falcon Team (@SI_FalconTeam)”\r\ntlp = “WHITE”\r\nreference = “https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh”\r\ndate = “2022-06-22”\r\nhash0 = “55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396”\r\nstrings:\r\n// Almond RAT\r\n$pdbPath0 = “C:\\\\Users\\\\Window 10 C\\\\Desktop\\\\COMPLETED WORK\\\\” ascii\r\n$pdbPath1 = “stdrcl\\\\stdrcl\\\\obj\\\\Release\\\\stdrcl.pdb”\r\n// found by Qi Anxin Threat Intellingence Center\r\n// reference: https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg\r\n$pdbPath2 = “g:\\\\Projects\\\\cn_stinker_34318\\\\”\r\n$pdbPath3 = “renewedstink\\\\renewedstink\\\\obj\\\\Release\\\\stimulies.pdb”\r\ncondition:\r\nuint16(0) == 0x5a4d\r\nand any of ($pdbPath*)\r\n}\r\nIndicators of Compromise\r\nSamples\r\nAll of the samples mentioned in this report have been made available through the public Malware repositories\r\nMalwareBazaar and Malshare for verification and further research.\r\nMaldoc\r\nFilename: Repair of different csoc cstc, china supplied system – BNS BIJOY.xlsx\r\nMD5: 1bf615946ad9ea7b5a282a8529641bf6\r\nSHA1: 358867f105b517624806c3315c5426803f7c42a7\r\nSHA256: bc03923e3cc2895893571068fd20dd0bc626764d06a009b91dac27982e40a085\r\nExtracted oleObject:\r\nMD5: a1d9e1dccfbba118d52f95ec6cc7c943\r\nSHA1: 8efa4d5574a0c80733e9824ec146521385a68424\r\nSHA256: 0c7158f9fc2093caf5ea1e34d8b8fffce0780ffd25191fac9c9b52c3208bc450\r\nZxxZ / Muuy Downloader\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 17 of 20\n\nFilename: vc\r\nMD5: 6e4b4eb701f3410ebfb5925db32b25dc\r\nSHA1: c330ef43bbee001296c6c120cf68e4c90d078d9c\r\nSHA256: 91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42\r\nAlmond RAT\r\nFilename: stdrcl.exe\r\nMD5: 71e1cfb5e5a515cea2c3537b78325abf\r\nSHA1: bcc9e35c28430264575831e851182eca7219116f\r\nSHA256: 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396\r\nModified assembly with decrypted strings:\r\nMD5: d58e6f93bd1eb81eacc965d530709246\r\nSHA1: a47aec515f303ae7f427d98fc69fe828fa9c6ec6\r\nSHA256: d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691\r\nHost-based Indicators\r\n# File paths associated with the Downloader\r\nC:\\$Drw\\dsw\r\nC:\\$Drw\\fsutil.exe\r\n# Almond RAT Mutex\r\nsaebamini.com SingletonApp\r\nNetwork-based Indicators\r\nemshedulersvc[.]com/vc/vc\r\nm.huandocimama[.]com\r\ndiyefosterfeeds[.]com\r\n91.195.240[.]103\r\n194.36.191[.]196\r\n162.0.232[.]109\r\n64.44.131[.]109\r\nMITRE ATT\u0026CK TTPs\r\nFirst stage – Initial Compromise\r\nTactic Technique Description Observable\r\nResource\r\nDevelopment\r\nStage Capabilities:\r\nUpload Malware\r\n(T1608.001\r\nBitter is using legitimate webhosting\r\nservices to stage malware\r\nHosters: HostSailor,\r\nNamecheap\r\nInitial Access\r\nPhishing: Spearphishing\r\nAttachment\r\n(T1566.001)\r\nBitter is distributing malicious\r\nMicrosoft Office documents with\r\nmilitary / naval lures\r\nFilename: Repair of different\r\ncsoc cstc, china supplied\r\nsystem – BNS BIJOY.xlsx\r\nExecution\r\nExploitation for Client\r\nExecution (T1203)\r\nExploitation of the Microsoft Office\r\nEquation Editor via a Memory\r\nCorruption (CVE-2018-0798)\r\nOLE file with stream named:\r\nEquation Native\r\nIntermediate Stage – Downloading additional tooling\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 18 of 20\n\nTactic Technique Description Observable\r\nDefense\r\nEvasion\r\nObfuscated\r\nFiles or\r\nInformation\r\n(T1027)\r\nImportant strings in\r\nZxxZ/MuuyDownloader\r\nexecutables are XOR\r\nencrypted\r\nExample string: vSCbLAsUGPVbnCW\r\nReconnaissance\r\nGather\r\nVictim Host\r\nInformation:\r\nSoftware\r\n(T1592.002)\r\nZxxZ/MuuyDownloader\r\nfingerprints the attacked\r\nsystem\r\nRequested URL:\r\nhxxp://m.huandocimama[.]com/JvQKLsTYuMe/xAexyBbnDxW/profil\r\nprofiles=\u003cUSERNAME_HOSTNAME\u003e\r\nCommand and\r\nControl\r\nIngress Tool\r\nTransfer\r\n(T1105)\r\nZxxZ/MuuyDownloader\r\nis capable of\r\ndownloading files from\r\nthe C2 onto the system\r\nCommand: UPLOAD*filepath, File naming scheme: yyyyMMdd-hhmmss_filename\r\nFinal stage – Espionage\r\nTactic Technique Description Observable\r\nDefense\r\nEvasion\r\nObfuscated\r\nFiles or\r\nInformation\r\n(T1027)\r\nImportant strings\r\nin Almond RAT\r\nexecutables are\r\nencrypted using\r\nAES-CBC\r\nEncrypted:\r\n4CjJPGsn5qweV7CEMgTzXtD/2oxaXj/Cddgsjl8tJGU=,\r\nDecrypted: 64.44.131.109\r\nReconnaissance\r\nGather Victim\r\nHost\r\nInformation:\r\nSoftware\r\n(T1592.002)\r\nAlmond RAT\r\nfingerprints the\r\nattacked system\r\nGenerated Fingerprint:\r\nHOSTNAME*MAC_ADDRESS*OS_VERSION\r\nCommand and\r\nControl\r\nNon-Standard\r\nPort (T1571)\r\nAlmond RAT\r\ncommunicates\r\nwith the C2 via a\r\nnon-standard port\r\nNetwork port: 33638/tcp\r\nCommand and\r\nControl\r\nIngress Tool\r\nTransfer\r\n(T1105)\r\nAlmond RAT is\r\ncapable of\r\ndownloading files\r\nfrom the C2 onto\r\nthe system\r\nCommand: UPLOAD*filepath, Network Port: 33638/tcp\r\nExfiltration\r\nExfiltration\r\nover C2\r\nChannel\r\n(T1041)\r\nAlmond RAT is\r\ncapable of\r\nuploading\r\naccessible files\r\nfrom the system to\r\na C2 server\r\nCommand: DOWNLOAD*filepath, Network Port:\r\n33638/tcp\r\nExfiltration Data Transfer\r\nSize Limits\r\n(T1030)\r\nAlmond RAT is\r\nusing a 1024 byte\r\nbuffer for C2\r\nNetwork buffer: 1024 bytes\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 19 of 20\n\ncommunication\r\nand Exfiltration\r\nDiscovery\r\nFile and\r\nDirectory\r\nDiscovery\r\n(T1083)\r\nAlmond RAT is\r\ncapable of\r\nenumerating\r\ndirectories and\r\nfiles\r\nCommand: DIR*\r\nImpact\r\nData\r\nDestruction\r\n(T1485)\r\nAlmond RAT is\r\ncapable of deleting\r\naccessible files on\r\nthe system\r\nCommand: DELETE*filepath\r\nConclusion\r\nThe Bitter threat group is continues to use their exploitation approach in Asia with themed lures and internal changes to\r\navoid existing detections. To protect from such attacks network and endpoint detection and response measures should be put\r\ninto place and commonly exploited software like Microsoft Office should be patched regularly. We will continue to monitor\r\nthis threat group and report on changes in their Tactics, Techniques and Procedures.\r\nThank you for taking the time to read our analysis report! If you would like to stay up to date with our research\r\nconsider following us on Twitter.\r\nSource: https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nhttps://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/" ], "report_names": [ "whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434136, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/945abafd9df657f9b06cf1c8f3551ba3a7c0151c.pdf", "text": "https://archive.orkl.eu/945abafd9df657f9b06cf1c8f3551ba3a7c0151c.txt", "img": "https://archive.orkl.eu/945abafd9df657f9b06cf1c8f3551ba3a7c0151c.jpg" } }