ArtraDownloader

BITTER is an APT (Advanced Persistent Threat) which has been active since 2015. Experts believe that the BITTER hacking group likely originates from Southern Asia as most of their victims are concentrated in this region – most of the attacks appear to be targeting organizations located in China and Pakistan. Ever since they began operating back in 2015, the BITTER APT has been using one main Trojan downloader – the ArtraDownloader. Naturally, to remain relevant, the BITTER hacking group had to introduce a number of updates to the ArtraDownloader over the years. The latest variant of the ArtraDownloader has some impressive capabilities when it comes to self-preservation techniques. This Trojan downloader can evade security software successfully, as well as to detect and avoid sand-box environments. The ArtraDownloader also can serve as a backdoor for the attackers to plant additional malware on the compromised host. The BITTER hacking group often combines two main tools in their campaigns – the ArtraDownloader and the BitterRAT (Remote Access Trojan).

Propagation Methods

One of the propagation methods employed by the BITTER APT is the classic spam emails that would contain a macro-laced attachment. Another simple trick that BITTER's members use is the so-called 'double extension.' For example, they can ask users to download a file named 'PAF Webmail Security Report.doc.exe' - this would show up as 'PAF Webmail Security Report.doc' on most computers since Windows is configured to hide file extensions by default. This may leave users with the impression that they are about to view a Microsoft Word document, but they will launch a potentially harmful executable file unknowingly.

Threatening Activity

When the ArtraDownloader infiltrates a system, it will begin to scan it for the presence of any software, which can be related to malware debugging. If the test comes back negative, the ArtraDownloader will establish a connection with the C&C (Command & Control) server of its operators. Through this connection, the ArtraDownloader will receive the payload, which is to be deployed on the infected machine. The 'ArtraDownloader's threatening payload appears to be hosted on legitimate websites that belong to Chinese or Pakistani citizens. It is likely that the BITTER APT has infiltrated these otherwise legitimate Web pages to use them to their own means. In these latest attacks, it appears that the ArtraDownloader works in unison with several different RATs.

To reduce the chances of becoming one of the victims of the ArtraDownloader, you should always keep all your software up to date. And do not forget to download and install a reputable anti-virus software suite, which will keep your system secure.