Bitter APT, a Southeast Asian threat actor, has been active since at least 2013. It is known for targeting entities located in Pakistan, China, and Saudi Arabia. However, the gang has, lately, shifted its sights to Bangladesh.
Diving into details
Cisco Talos revealed an ongoing campaign operated by the APT actor since August 2021. The campaign has been launched against an elite unit of the Bangladeshi government via spear-phishing emails. The emails are sent to high-ranking officials of the Rapid Action Battalion (RAB), a unit of the Bangladesh police force. The emails trick the targets into opening a malicious RTF document of an Excel spreadsheet, which exploits previously disclosed vulnerabilities in the software to deploy a new malware - ZxxZ trojan.
Modus operandi
- The attackers use spoofed email addresses to pretend that the messages were sent from a government organization in Pakistan.
- Once the recipient opens the weaponized document, the Equation Editor app is launched to run embedded objects with the shellcode to exploit some flaws—CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802—in Microsoft Office.
- Subsequently, the application downloads the trojan from the hosting server to execute on the victim machine.
- ZxxZ pretends to be a Windows Security update service and enables the threat actor to conduct RCE.
- While the malware runs itself, the campaign uses other RATs and tools.
Why this matters
Bitter, aka T-APT-17 or APT-C-08, primarily focuses on intelligence collection from the engineering, government, and energy sectors. These kinds of surveillance campaigns allow the threat actors to access sensitive information. They, furthermore, give a competitive edge to the adversaries, irrespective of whether they are state-sponsored.
The bottom line
Bitter APT is a highly-motivated threat actor that is expanding its attack scope. The attackers have surfaced with new attack TTPs to attain their objectives of cyberespionage and even added a new trojan to the mix. Hence, organizations are recommended to implement a layered cyber defense approach and patch all vulnerabilities at the earliest.