As part of an ongoing effort that began in August 2021, an espionage-focused phishing group known for targeting China, Pakistan, and Saudi Arabia is now eyeing to target Bangladesh government agencies. On the basis of overlaps in the command-and-control (C2) infrastructure with that of past campaigns undertaken by the same group, cybersecurity firm Cisco Talos linked the activity with moderate confidence to a hacking organization named Bitter APT.
Notorious Hacking Group Adds Bangladesh to their List of Targets
Vitor Ventura, a lead security researcher at Cisco Talos for EMEA and Asia said,
Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including China, Pakistan, and Saudi Arabia. And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn’t be of surprise.
Bitter (also known as APT-C-08 or T-APT-17) is thought to be a South Asian hacking group largely focused on intelligence gathering, aided by malware such as BitterRAT, ArtraDownloader, and AndroRAT. Their primary targets include energy, engineering, and government industries.
This hacking group has a history of exploiting zero-day defects — CVE-2021-1732 and CVE-2021-28310 — to achieve its antagonistic objectives, with the first attacks spreading the mobile version of BitterRAT back in September 2014.
Their latest attack includes targeting an elite entity of the Bangladeshi government. It involved sending spear-hacking emails to the senior officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).
Following the typical trajectory, the hacking group used the messages to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that uses previously known flaws in the software to deploy a new trojan dubbed “ZxxZ.”
According to the researchers,
The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools.