Threat actors submitted documents allegedly related to operational tasks to senior officers of the Bangladesh Police Rapid Action Battalion Unit (RAB) through phishing emails, which appear to be originated from Pakistan. The sender requests that the destinations review or validate a malicious document, a call data log (CDR), a list of phone numbers, or a list of registered cases, but emails contain a malicious RTF document or an Excel table to use to exploit known security vulnerabilities. With the view of the content of the documents, malicious software ZxxZ, which appears to be a Windows Security update service, is installed and run on the intended system. ZxxZ allows remote code execution attacks on the target system by exploiting vulnerabilities tracked as CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.
Such campaigns allow threat actors to access the organization’s confidential information. In this context, to not be the target of similar attacks, it is recommended not to rely on e-mails, attachments, and links from unknown parties and to prefer comprehensive security solutions.