⚠️ Overview

Bitter RAT is a remote access trojan (RAT) employed by the threat group tracked as Bitter (aka APT-C-08, T-APT-17), first documented by Qihoo 360 in 2016. The group is believed to operate from South Asia, targeting government, defense, energy, and telecom sectors primarily in India, Pakistan, Bangladesh, and the Middle East. Bitter RAT functions as a second-stage payload delivered via spear-phishing emails, often disguised as official documents related to defense or diplomatic affairs.

🔧 Technical Capabilities

Bitter RAT uses strategic web compromise—embedding malicious macros or exploiting CVE-2017-11882 (Microsoft Office Equation Editor) in RTF documents to drop initial droppers. The dropper downloads a payload that establishes persistence via scheduled tasks or registry Run keys, then communicates over HTTP/HTTPS with dynamic C2 domains using encrypted Base64 or XOR-encoded data. It performs system profiling, file exfiltration, keylogging, screenshot capture, and remote shell execution. Evasion techniques include obfuscated VBS scripts, payload encryption with custom algorithms, and delaying execution to evade sandbox analysis. The malware uses legitimate cloud services (e.g., Dropbox, Google Drive) for C2 redirection to blend with normal traffic, as noted in a 2023 Zscaler report.

📜 History & Notable Incidents

First observed in 2016 targeting Indian diplomatic missions, Bitter RAT campaigns escalated in 2019 with the use of COVID-19 themed lures against Chinese and Pakistani energy firms (MITRE ATT&CK Group G0051). In 2021, it was linked to a campaign exploiting CVE-2021-40444 (Microsoft MSHTML vulnerability) against defense contractors in Bangladesh. No law enforcement actions have been publicly reported. Academic papers have detailed its evolution, including a 2022 analysis by Trend Micro documenting over 50 C2 domains tied to Bitter activity.

🔍 Detection Indicators

Known SHA256 hashes include 0xE2C9F3A... (from VirusTotal community) and behavioral signatures such as spawning powershell.exe from Office applications, creating scheduled tasks named WindowsUpdate or JavaUpdater, and network connections to IPs in the 103.xxx.xxx.xxx range (ASN assigned to Bangladesh). File artifacts often include decoy documents with embedded OLE objects and User-Agent strings like Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 used in C2 traffic.

☠️ Risk & Impact

Bitter RAT enables extensive intelligence collection: exfiltration of classified documents, email archives, and keystroke logs, leading to long-term espionage. Affected sectors include government ministries (India, Pakistan), nuclear energy agencies (Bangladesh Atomic Energy Commission), and telecom operators (MTN, 2018). Financial losses are indirect but severe due to compromised state secrets and intellectual property theft.

🛡️ Mitigation

Defenders should block execution of Office macros from untrusted sources, apply patches for CVE-2017-11882 and CVE-2021-40444, deploy EDR rules to detect Office spawning PowerShell (MITRE ATT&CK T1059.001), and monitor for outbound connections to cloud storage APIs from non-browser processes. Network segmentation and email sandboxing with attachment analysis are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.