The advanced persistent threat (APT) group Bitter continues to target the military entities in Bangladesh. Based on the recent report, the threat actors impact these entities by deploying remote access trojans (RAT) via malicious document files and intermediate malware stages.
Moreover, a research team came up with a new finding after they noticed that the threat actors expanded their threat by targeting the Bangladeshi government organisations with a backdoor dubbed “ZxxZ.”
The Bitter APT group is known for other names such as T-APT-17 and APT-C-08.
Reports said that the APT group has been active for nearly a decade and has a track record of targeting first-class countries such as China, Saudi Arabia, and Pakistan. The tools used by these threat actors for their attacks are usually the ArtraDownloader and BitterRAT.
The malicious group’s most recent attack chain was noticed by another separate researcher, who claimed that the actors started their campaign last May. The adversaries conducted the attacks through a series of compromised Microsoft Excel documents possibly spread via a spear-phishing email. Unfortunately, if a targeted user accesses the file, a Microsoft Equation Editor exploits will drop a next-stage binary from a remote server.
Bitter’s ZxxZ is a downloaded payload that implements Visual C++ and operates as a second-stage implant that enables the malicious operators to launch additional malware.
The most significant alteration in the malware includes the abandonment of the ZxxZ separator utilised by the threat actors when sending a piece of information to the command-and-control server in favour of an underscore. This detail implies that the advanced persistent threat group has ongoing modifications to its source code to remain undetected and avoid analysis.
The threat actors also used in their campaign a backdoor called Almon RAT. This remote access trojan is a [.]NET-based RAT that was first discovered last May. In addition, the RAT offers an essential data harvesting feature and the ability to run arbitrary commands. Lastly, the implant adopts an obfuscation and string encryption strategy to bypass detection and keep the analysts at bay.