ArtraDownloader
ArtraDownloader is a family of Trojan downloaders that's closely associated with the Bitter or BITTER threat actor. ArtraDownloader typically downloads and installs a Remote Access Trojan also in use by these hackers for maintaining long-term control and surveillance over an infected computer. Let your anti-malware services delete ArtraDownloader as they find it and maintain due caution around documents that could be its droppers.
Reports with Trojans Inside
Espionage on the state-sponsored scale employs well-known, but still-effective tools for overcoming initial security hurdles and compromising PCs. These attacks often involve manipulating the psychology of users and capitalizing on the human mind as the weakest point of security. ArtraDownloader and its companion threat of BitterRAT show this philosophy off well in their 2019 campaigns.
ArtraDownloader and the second Trojan, a Remote Access Tool, both are utilities of Bitter, a threat actor targeting government entities in China, Pakistan, and, most recently, Saudi Arabia. ArtraDownloader is one of the first threats that they introduce to a target by embedding its installer into corrupted documents. These target-customized documents reference topics such as local security reports, data traffic reports, logistics management, or, ironically, PC security workshops.
Users clicking on these (likely e-mail-delivered) documents may compromise the PC with a downloaded build of ArtraDownloader. The infrastructure for this attack, and related ones, often uses already-compromised domains from local government networks, which malware experts note, is commonplace in espionage cyber-warfare. ArtraDownloader's singular purpose is downloading yet another threat, BitterRAT, which gives Bitter's hackers an invasive level of shell command-based control over the system.
Exploring Trojan Downloaders as Government Infiltrators
With dozens of separate attacks, all leveraging ArtraDownloader for the same purpose, its niche in Bitter's toolkit is well-defined. There also are three variants of this threat, although malware experts note few significant differences between them, except for one version's including (possibly, accidentally) an unused anti-virus check and omitting the usual obfuscating of its network traffic. All versions of ArtraDownloader establish Registry persistence, download and run files through HTTP requests, and use internal, byte subtraction-based obfuscation.
There's no instance of an ArtraDownloader attack deploying anything other than the BitterRAT. Unfortunately, this Remote Access Trojan is both invasive and stealth-oriented, and malware experts classify it as being a high-level threat. Victims should establish disabling network connectivity and isolating compromised devices from local networks as top priorities.
Windows anti-malware products will identify and delete ArtraDownloader, along with its payloads. Workers can reduce their risk by disabling macros, updating document reader software, and being careful around e-mail or social networking attachments.
ArtraDownloader is extending its reach to the Middle East, along with its ongoing efforts versus Asia. The positive results that Bitter is getting from their Trojan workhorse is, almost certainly, the responsibility of government employees clicking the wrong kinds of files a little too hastily.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.