The advanced persistent threat known as Bitter is continuing to launch persistent cyberattacks against military organizations located in Bangladesh. These attacks are being tracked and monitored.
In a new article that was published on July 5, the cybersecurity firm SECUINFRA stated that "Through malicious document files and intermediate malware stages, the threat actors conduct espionage by deploying Remote Access Trojans."
The findings of the company with headquarters in Berlin are an expansion on a report that was published by Cisco Talos in May. That report disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor known as ZxxZ.
The threat actor known as Bitter, which is also known by the codenames APT-C-08 and T-APT-17, is believed to have been operational since at least late 2013. Bitter reportedly has a history of targeting China, Pakistan, and Saudi Arabia with a variety of tools, including BitterRAT and ArtraDownloader.
The most recent attack chain detailed by SECUINFRA is believed to have been carried out in the middle of May 2022. It began with a weaponized Excel document, which was most likely distributed by means of a spear-phishing email. When the document was opened, it exploited the Microsoft Equation Editor exploit (CVE-2018-0798), which caused a remote server to drop the next-stage binary.
The downloaded payload, which is known as ZxxZ (or MuuyDownloader by the Qi-Anxin Threat Intelligence Center), is an implant written in Visual C++ that serves as a second-stage implant and enables the adversary to deploy additional malware.
The most notable modification to the malware is that it has switched from using the separator "ZxxZ" when sending information back to the command-and-control (C2) server to using an underscore instead. This indicates that the group is actively making changes to its source code in an effort to remain undetected.
A backdoor known as the Almond RAT was also used by the threat actor in its campaigns. The Almond RAT is a.NET-based remote access Trojan that was discovered for the first time in May 2022. It possesses the ability to carry out arbitrary commands and provides fundamental data gathering capabilities. In addition, in order to avoid detection and to make analysis more difficult, the implant makes use of obfuscation and string encryption techniques.
The researchers stated that the primary functions of the Almond RAT appear to be the discovery of file systems, the exfiltration of data, and the establishment of a means to load additional tools and maintain persistence. It appears that the design of the tools has been laid out in such a way that it can be quickly modified and adapted to the specific circumstances of the ongoing attack.
Post a Comment
Your suggestions and comments are welcome