BITTER is an APT (Advanced Persistent Threat) which has been active since 2015. Experts believe that the BITTER hacking group likely originates from Southern Asia as most of their victims are concentrated in this region – most of the attacks appear to be targeting organizations located in China and Pakistan. Ever since they began operating back in 2015, the BITTER APT has been using one main Trojan downloader – the ArtraDownloader. Naturally, to remain relevant, the BITTER hacking group had to introduce a number of updates to the ArtraDownloader over the years. The latest variant of the ArtraDownloader has some impressive capabilities when it comes to self-preservation techniques. This Trojan downloader can evade security software successfully, as well as to detect and avoid sand-box environments. The ArtraDownloader also can serve as a backdoor for the attackers to plant additional malware on the compromised host. The BITTER hacking group often combines two main tools in their campaigns – the ArtraDownloader and the BitterRAT (Remote Access Trojan).
One of the propagation methods employed by the BITTER APT is the classic spam emails that would contain a macro-laced attachment. Another simple trick that BITTER's members use is the so-called 'double extension.' For example, they can ask users to download a file named 'PAF Webmail Security Report.doc.exe' - this would show up as 'PAF Webmail Security Report.doc' on most computers since Windows is configured to hide file extensions by default. This may leave users with the impression that they are about to view a Microsoft Word document, but they will launch a potentially harmful executable file unknowingly.
When the ArtraDownloader infiltrates a system, it will begin to scan it for the presence of any software, which can be related to malware debugging. If the test comes back negative, the ArtraDownloader will establish a connection with the C&C (Command & Control) server of its operators. Through this connection, the ArtraDownloader will receive the payload, which is to be deployed on the infected machine. The 'ArtraDownloader's threatening payload appears to be hosted on legitimate websites that belong to Chinese or Pakistani citizens. It is likely that the BITTER APT has infiltrated these otherwise legitimate Web pages to use them to their own means. In these latest attacks, it appears that the ArtraDownloader works in unison with several different RATs.
To reduce the chances of becoming one of the victims of the ArtraDownloader, you should always keep all your software up to date. And do not forget to download and install a reputable anti-virus software suite, which will keep your system secure.
Do You Suspect Your PC May Be Infected with ArtraDownloader & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like ArtraDownloader as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.