An espionage-focused risk actor recognized for concentrating on China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi authorities organizations as a part of an ongoing marketing campaign that commenced in August 2021.
Cybersecurity agency Cisco Talos attributed the exercise with average confidence to a hacking group dubbed the Bitter APT based mostly on overlaps within the command-and-control (C2) infrastructure with that of prior campaigns mounted by the identical actor.
“Bangladesh matches the profile we now have outlined for this risk actor, beforehand concentrating on Southeast Asian international locations together with China, Pakistan, and Saudi Arabia,” Vitor Ventura, lead safety researcher at Cisco Talos for EMEA and Asia, told The Hacker Information.
“And now, on this newest marketing campaign, they’ve widened their attain to Bangladesh. Any new nation in southeast Asia being focused by Bitter APT should not be of shock.”
Bitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that is facilitated via malware comparable to BitterRAT, ArtraDownloader, and AndroRAT. Distinguished targets embody the energy, engineering, and authorities sectors.
The earliest assaults had been distributing the cell model of BitterRAT date again to September 2014, with the actor having a historical past of leveraging zero-day flaws — CVE-2021-1732 and CVE-2021-28310 — to its benefit and conducting its adversarial goals.
The newest marketing campaign, concentrating on an elite entity of the Bangladesh authorities, includes sending spear-phishing emails to high-ranking officers of the Speedy Motion Battalion Unit of the Bangladesh police (RAB).
As is usually noticed in different social engineering assaults of this type, the missives are designed to lure the recipients into opening a weaponized RTF doc or a Microsoft Excel spreadsheet that exploits beforehand recognized flaws within the software program to deploy a brand new trojan; dubbed “ZxxZ.”
ZxxZ, named so after a separator utilized by the malware when sending info again to the C2 server, is a 32-bit Home windows executable compiled in Visible C++.
“The trojan masquerades as a Home windows Safety replace service and permits the malicious actor to carry out distant code execution, permitting the attacker to carry out some other actions by putting in different instruments,” the researchers defined.
Whereas the malicious RTF doc exploits a reminiscence corruption vulnerability in Microsoft Workplace’s Equation Editor (CVE-2017-11882), the Excel file abuses two distant code execution flaws, CVE-2018-0798 and CVE-2018-0802, to activate the an infection sequence.
“Actors usually change their instruments to keep away from detection or attribution, that is a part of the lifecycle of a risk actor displaying its functionality and dedication,” Ventura stated.