Posted on May 13, 2022 at 7:14 AM

Bitter APT Hacking Group Now Turn Their Attention To Bangladesh

A hacking campaign focused on several countries in South Asia has decided to include Bangladeshi government organizations as one of its targets. The espionage-focused threat began in August 2021 and has spread in terms of hacking accomplishments and affiliates.

The hacking group and its activities were discovered by security firm Cisco Talos which attributed the attacks with moderate assurance to the Bitter APT group.

A top security researcher at Cisco Talos noted for EMEA stated that Bangladesh fits the profile of the targets the hacking group wants to attack. Some of the other countries the hackers have targeted in the Asian region include Pakistan, China, and Saudi Arabia.

The bitter APT group is believed to be made up of some threat actors from South Asia. The group is motivated by intelligence gathering, but it’s not yet clear whether they are sponsored by a government. They facilitate their operations through malware such as AdtroRAT, AntraDownloader, and BitterRAT. The group targets government organizations, companies in the engineering sector, as well as those in the energy sector.

The Hackers Use Phishing Methods To Lure Targets

The present campaign targets an elite unit of the Bangladesh government using a themed lure message that allegedly relates to the normal operational tasks in the targets’ organization.

The lure document is generally a spear-phishing email delivered to officers of the Rapid Action Battalion, especially the high-ranking ones. The emails contain either a Microsoft Excel spreadsheet or a malicious RTF document weaponized to exploit known flaws.

Additionally, the originating header information and IP address showed that the emails came from servers based in Pakistan. The threat actor also forged the sender’s details to make it seem like it is coming from Pakistani government organizations.

Some of the fake sender email addresses, as compiled by Talos, include; arc@desto[.]gov[.]pk, cdrrab13bd@gmail[.]com, chief_pia@pc[.]gov[.]pk, ddscm2@pof[.]gov[.]pk, mem_psd@pc[.]gov[.]pk,rab3tikatuly@gmail[.]com, and so.dc@pc[.]gov[.]pk.

When the victim clicks on the malware file, it triggers the automatic launch of the Equation Editor application. This runs the embedded objects that contain the shellcode to exploit known flaws described by CVE-2018-0802, CVE-2018-0798, and CVE-2017-11882. It then downloads the trojan from the hosting server before running it on the victim’s machine. All the vulnerabilities are in Microsoft Office.

The Trojan Hides As A Windows Security Service

According to Talos, the trojan hides as a Windows Security service that enables the malicious actor to carry out remote code execution. This creates the way for other activities by installing other tools. One unique feature about the trojan is the fact that it runs itself. However, the threat actor still has other downloaders and RATs they can use to launch other attacks.

The security researchers stated that such campaigns could enable the hackers to have access to the organization’s confidential information. This could handle the threat actors the advantage they need to exploit the organization even further. It could also give their handlers a strong advantage over their competitors, whether as a state-sponsored group or not.

Apart from Bangladesh, the threat group could also be seeking to extend their campaign to other southeast Asian countries. The extent of the threat is massive, according to the Talos researchers, as they are using highly sophisticated tools for their phishing attacks.

Additionally, Talos observed that Bitter APT Group usually changes its attacking tools to avoid being detected. It is part of the lifecycle of the hacking syndicate’s determination and capability as a dangerous threat group.

The Hackers Are Sophisticated In Their Approach

The weaponized document exploits previously known vulnerabilities in the software to deploy a new trojan called ZxxZ. The trojan is named after a separator utilized by the malware when transferring information back to the control server.

The excel file exploits two remote code execution vulnerabilities while the malicious RTF document abuses a memory corruption bug to activate the infection sequence, according to Talos researchers.

The earliest attacks that distributed the mobile version of Bitter Rate were discovered back in September 2014. From its first activities, the threat actor is known to leverage zero-day vulnerabilities – CVE-2021-28310 and  CVE-2021-1732. They take advantage of these vulnerabilities to accomplish their various hacking goals.

It is not known whether the threat actors are sponsored by a government or carry out their operations independently. But the level of sophistication they have shown suggests they may be working with a state government. Talos says its research on the activities of the group is ongoing, and more details will be provided as soon as it is available to help organizations and government institutions protect their servers better.