An espionage-focused hacker group, Bitter APT, known for targeting China, Pakistan, and Saudi Arabia, has allegedly added Bangladeshi government organisations to its list of targets.
The development comes as part of an ongoing campaign of Bitter Apt that commenced in August last year, reported a number of cybersecurity based news sites on Wednesday.
Bitter, aka APT-C-08 or T-APT-17, is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, with its prominent targets including the energy, engineering and government sectors.
As per the findings of cybersecurity firm Cisco Talos, the ongoing campaign targeted an elite unit of the Bangladesh government with a themed lure document alleging to relate to the regular operational tasks in the victim's organisation.
The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion (RAB), Cisco Talos added, saying that such emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities.
However, TBS tried to reach RAB high officials regarding this cyber-attack and did not get any comment on the matter.
ANM Imranuddin Khan, assistant director of RAB Legal & Media wing told TBS that their media wing director is out of the country now.
"We can't comment on the issue right now. Once he is back in the country he can comment," added Imranuddin.
TBS also tried to contact RAB Deputy Director Major Roisul Azam about the issue, but he was unavailable for comment.
The originating IP address and header information indicated that the emails were sent from mail servers based in Pakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani government organisations.
Cisco Talos compiled a list of fake sender email addresses from this campaign.
Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described as CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 – all in Microsoft Office – which then download the trojan from the hosting server and run it on the victim's machine.
The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.
The cyber security firm commented that such surveillance campaigns could allow threat actors to access the organisation's confidential information and give their handlers an advantage over their competitors, regardless of whether they are state-sponsored.
"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including China, Pakistan, and Saudi Arabia," Vitor Ventura, lead security researcher at Cisco Talos (EMEA and Asia), was quoted as saying by The Hacker News.
"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise," he added.
The cybersecurity expert said that the actors (hackers) often change their tools to avoid detection or attribution and this is part of the lifecycle of a threat actor showing its capability and determination.
As is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponised RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed "ZxxZ."
ZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.
While the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor (CVE-2017-11882), the Excel file abuses two remote code execution flaws, CVE-2018-0798 and CVE-2018-0802, to activate the infection sequence, wrote The Hacker News.