Rewterz Threat Alert – Bitter APT Group – Active IOCs

Severity

High

Analysis Summary

APT-17, also known as “Bitter APT” or “DeputyDog” is a state-sponsored cyber espionage group that is believed to operate out of China. They have been active since at least 2012 and have primarily targeted organizations in the aerospace, defense, and technology industries. They are known for targeting China, Pakistan, and Saudi Arabia and have expanded to set their sights on Bangladeshi government agencies. The group is known for using a wide range of custom malware and tools to carry out their operations, including Remote Access Trojans (RATs), keyloggers, and backdoors. The group’s malware is known to be complex, and multi-stage and used a range of techniques to evade detection, such as code signing, the use of legitimate tools and third-party tools, and the use of encrypted communications. They are also known to use spear-phishing campaigns to gain initial access to targeted systems. They have been active for more than a decade and are known to use a wide range of custom malware and tools to carry out their operations. Organizations in these sectors should be aware of the threat actors and take appropriate measures to protect against their attacks. This includes implementing robust security measures, such as advanced threat detection and response capabilities, as well as employee training on how to identify and respond to spear-phishing campaigns.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

c20a0eb4325cd9b141c12e2e974313b1
adb2e4e332efacee1c3a0a34f283331b
33d639ce61f584667e03bf585ab8b729

SHA-256

35952afc1c9f5597348373cee4611bc37287076606ca1b912d6a73aeee26602a
636c2a16f94b5e30e725527a1bd2215399f98f17cc08580bc7358751b9eb2944
a447a890c7738c259ae0fc03958fbd6a96abd350a5acb9cc39fd8b3e7d450147

SHA-1

0508bc49fbf37948f7b7e641d02e0b34badc2444
5f4ca9b34c059533e0359016d30f278807c5d77c
995a1551e4bc0c91c349edec7c09a63e2e238d4e

URL

• http://rxnovelapps.info/pikachu/vis.php?st=%25computername%25%25username%25
• http://jlmusiklearn.com/est/api.php?mag=%25computername%25%25username%25

Domain Name

• zingstockpicks.com

Remediation

• Search for IOCs in your environment.
• Block all threat indicators at your respective controls
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets