The Southeast Asian threat group Bitter that has been active since 2015 has expanded its activities and has now targeted Pakistani and Saudi Arabia with three variants of the AstraDownloader to inject the RAT BitterRAT into various organizations.

The attacks on Saudi Arabia and Pakistan began in September and continued into early 2019, according to a report by Palo Alto Networks Unit 42. Bitter originally targeted only Pakistani and Chinese organizations.

Initial access was achieved with a spear phishing attack against a specific employee at a Saudi Arabian power company on September 12, 2018 and since then AstraDownloader executables along with the malicious document that was used as the malware’s conduit have been spotted on servers belonging to a Pakistani engineering firm and hydraulics company.

In several cases Unit 42 was able to define the document subject matter that was used in the spearphishing attacks. These were an internet data traffic report, PAF Webmail Security Report, cybersecurity work shop and a PDF entitled Handling of Logistics.

“In total, roughly 80 unique instances of the ArtraDownloader malware family have been discovered. Within these samples, 3 distinct variants are identified. These variants generally have minor changes between them, specifically as it pertains to string obfuscation, as well as HTTP requests,” the report stated.

The researchers rated the downloader as unsophisticated maintaining persistence by leveraging registry keys and using HTTP requests to download and execute remote files.