BitterRAT
BitterRAT is a Remote Access Trojan that grants attackers control over your PC. BitterRAT conducts shell command-based attacks and communicates with a C&C server for surveillance purposes and has close associations with government espionage. Devices with anti-malware protection should remove BitterRAT on sight, although users may require changing compromised passwords and other credentials afterward.
The Bitter Flavor of a RAT in Your PC
With the threat actor Bitter targeting new parts of the world with old tools, 2019 is making itself out to be a big year for this group of hackers. As always, the centerpiece of their campaigns is BitterRAT: a Remote Access Trojan with system-controlling and network communication functions. The delivery mechanisms also are using well-known traditions in state cyber-warfare, such as Trojan downloaders whose installers hide inside of documents.
BitterRAT is a program for Windows environments. Its foundational features include elements that malware experts see in various RATs over the years, such as:
- BitterRAT sets a Registry entry for guaranteeing its persistence over system reboots.
- As one of its first actions, BitterRAT delivers system information, such as the Windows version, to a remote server. This server, often, is a previously-compromised one of the same government that the current attack is targeting.
- BitterRAT supports processing shell commands, such as renaming, opening, copying, or deleting files, and sends a report of the results back to the attacker.
These features place BitterRAT in a good position for maintaining long-term, hidden surveillance over the PC, possibly, using it as a staging ground for lateral network traversal. However, despite its general-purpose set of capabilities, malware experts haven't yet seen BitterRAT in use outside of Bitter campaigns, targeting Asia (China and Pakistan) and the Middle East (Saudi Arabia).
Cutting the Line Between a Trojan and Its Friends
Although the dangers of BitterRAT infections are little different from giving criminals an insider's view of your local network, its infection methods are well-analyzed. Malware researchers recommend that workers in at-risk institutions monitor e-mail and other file-downloading resources for potential phishing lures, such as fake security reports or other content of local relevance to the recipient. Enabling macros or using outdated document reader software, also, leaves a PC at much higher risk of infection.
Most BitterRAT deployments take advantage of ArtraDownloader for the installation routine. This other Trojan delivers the RAT after victims open the corrupted document, although there's a theoretical possibility of Bitter's using it for running other threats. While this Trojan downloader has limited sophistication, it does have some stealth-oriented characteristics and may hide its network communications with obfuscation.
In either case, allow your anti-malware services to delete BitterRAT or ArtraDownloader as they appear, and prevent infected systems from contacting the Internet until you resolve the security breach.
BitterRAT isn't more or less toxic than most Remote Access Trojans exceptionally. However, a command shell in the wrong hands is a powerful tool. Unfortunately, it's one that threat actors like Bitter use for spying.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.