An espionage-focused risk actor recognized for focusing on China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi authorities organizations as a part of an ongoing marketing campaign that commenced in August 2021.
Cybersecurity agency Cisco Talos attributed the exercise with average confidence to a hacking group dubbed the Bitter APT based mostly on overlaps within the command-and-control (C2) infrastructure with that of prior campaigns mounted by the identical actor.
“Bangladesh matches the profile we’ve outlined for this risk actor, beforehand focusing on Southeast Asian nations together with China, Pakistan, and Saudi Arabia,” Vitor Ventura, lead safety researcher at Cisco Talos for EMEA and Asia, advised The Hacker News.
“And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn’t be of surprise.”
Bitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that is facilitated by the use of malware resembling BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets embody the power, engineering, and authorities sectors.
The earliest assaults had been distributing the cellular model of BitterRAT date again to September 2014, with the actor having a historical past of leveraging zero-day flaws — CVE-2021-1732 and CVE-2021-28310 — to its benefit and engaging in its adversarial goals.
The newest marketing campaign, focusing on an elite entity of the Bangladesh authorities, includes sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).
As is usually noticed in different social engineering assaults of this sort, the missives are designed to lure the recipients into opening a weaponized RTF doc or a Microsoft Excel spreadsheet that exploits beforehand recognized flaws within the software program to deploy a brand new trojan; dubbed “ZxxZ.”
ZxxZ, named so after a separator utilized by the malware when sending data again to the C2 server, is a 32-bit Windows executable compiled in Visual C++.
“The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,” the researchers defined.
While the malicious RTF doc exploits a reminiscence corruption vulnerability in Microsoft Office’s Equation Editor (CVE-2017-11882), the Excel file abuses two distant code execution flaws, CVE-2018-0798 and CVE-2018-0802, to activate the an infection sequence.
“Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,” Ventura mentioned.