Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan


Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan (Feb 25, 2019)

Palo Alto Networks Unit 42 researchers have discovered that the threat group called “BITTER,” who is believed to originate in South Asia, has been targeting organizations with a new variant of the “ArtraDownloader.” BITTER has been actively targeting Pakistan and Chinese organizations since at least 2015 with AtraDownloader variants. Beginning in September 2018 and continuing until at least January 2019, researchers found that the group was utilizing a new AtraDownloader variant to target entities located Pakistan and Saudi Arabia. The threat group is distributing the malware via spear phishing emails that contain malicious documents that were observed communicating with legitimate Pakistani websites that were likely compromised. Researchers found that AtraDownloader was downloading and executing a Remote Access Trojan (RAT) in this campaign but the malware is capable of downloading other payloads.

Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.