APT Hacker Group Bitter Continues to Attack Military Targets in Bangladesh

An advanced persistent threat (APT) operating under the name of ‘Bitter’ continues to conduct cyber-attacks against military entities in Bangladesh.

The news comes from a team of SecuInfra cybersecurity experts, who published an advisory on Tuesday describing the south-Asian APT’s recent campaigns. 

“Through malicious document files and intermediate malware stages, the threat actors conduct espionage by deploying Remote Access Trojans,” reads the document.

The SecuInfra findings build on a report published by Talos last May (which disclosed the group’s expansion and intentions to hit Bangladeshi government organizations) and cover an attack presumably conducted in mid-May 2022.

Specifically, the attack would have originated from a weaponized Excel document likely distributed through a spear-phishing email.

When opened, the email would take advantage of the Microsoft Equation Editor exploit (CVE-2018-0798) to drop a payload named ZxxZ from a remote server.

The malicious code would then be implemented in Visual C++ and work as a second-stage implant, allowing malicious actors to deploy additional malware.

“Comparing this fingerprinting function to the one documented by Cisco Talos we can see that Bitter abandoned the ZxxZ value separator (that gave the Downloader its name) in exchange for a simple underscore.”

According to SecuInfra, the APT did this to avoid detection through IDS/IPS systems based on this specific separator.

“The Bitter threat group continues to use their exploitation approach in Asia with themed lures and internal changes to avoid existing detections,” SecuInfra explained.

To protect from such attacks, the security researchers said companies and governments should regularly implement network and endpoint detection and response measures and patch commonly exploited software like Microsoft Office.

“We will continue to monitor this threat group and report on changes in their Tactics, Techniques and Procedures.”

All of the samples mentioned in the SecuInfra advisory have been reportedly made available through the public Malware repositories MalwareBazaar and Malshare for verification and further research.

What’s Hot on Infosecurity Magazine?