Military entities located in Bangladesh continue to be the target of cyberattacks supported by an Advanced Persistent Threat identified as Bitter.
“Through malicious document files and malware middle stages, threat actors conduct espionage by deploying remote access Trojans,” cybersecurity firm SECUINFRA said in a new report. article published on July 5.
The Berlin-based company’s findings build on an earlier report from Cisco Talos in May, which revealed the group’s expansion into targeting Bangladeshi government organizations with a backdoor called ZxxZ.
Bitter, also tracked under the codenames APT-C-08 and T-APT-17, has reportedly been active since at least late 2013 and has a history of targeting China, Pakistan and Saudi Arabia using different tools such as BitterRAT and ArtraDownloader.
The last attack chain detailed by SECUINFRA was allegedly carried out in mid-May 2022, originating from a weaponized Excel document likely distributed via a spear-phishing email that, when opened, exploits the Microsoft Equation Editor exploit (CVE-2018-0798) to remove the next step binary from a remote server.
ZxxZ (or Qi-Anxin Threat Intelligence Center’s MuuyDownloader), as the downloaded payload is called, is implemented in Visual C++ and functions as a second-stage implant that allows the adversary to deploy additional malware.
The most notable change in the malware is that it dropped the use of “ZxxZ” as the separator used when returning information to the command and control (C2) server in favor of an underscore, suggesting that the group is actively making changes to its source code to stay under the radar.
The threat actor also uses in his campaigns a backdoor called Almond RAT, a .NET-based RAT that first appeared in May 2022 and offers basic data collection functionality and the ability to run arbitrary commands. Additionally, the implant uses obfuscation and string encryption techniques to evade detection and hinder analysis.
“The main purposes of Almond RATs appear to be filesystem discovery, data exfiltration, and a way to load more tools/establish persistence,” the researchers said. “The design of the tools appears to be designed in such a way that it can be quickly modified and adapted to the current attack scenario.”