Bitter APT Targets Bangladesh’s Key Institutions Through Phishing Emails

It has been detected that the threat actors known for their espionage campaigns targeting China, Pakistan, and Saudi Arabia have targeted Bangladesh institutions and organizations as part of a campaign going on since August 2021. Cisco Talos security researchers attributed the campaign to threat actors called Bitter APT based on similarities in the command and control (C2) infrastructure of other campaigns analyzed. The group, also known as T-APT-17, uses harmful software such as BitterRAT, ArtraDownloader, and AndroRAT, to target the energy sector and government institutions in South Asia.

Threat actors submitted documents allegedly related to operational tasks to senior officers of the Bangladesh Police Rapid Action Battalion Unit (RAB) through phishing emails, which appear to be originated from Pakistan. The sender requests that the destinations review or validate a malicious document, a call data log (CDR), a list of phone numbers, or a list of registered cases, but emails contain a malicious RTF document or an Excel table to use to exploit known security vulnerabilities. With the view of the content of the documents, malicious software ZxxZ, which appears to be a Windows Security update service, is installed and run on the intended system. ZxxZ allows remote code execution attacks on the target system by exploiting vulnerabilities tracked as CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.

Such campaigns allow threat actors to access the organization’s confidential information. In this context, to not be the target of similar attacks, it is recommended not to rely on e-mails, attachments, and links from unknown parties and to prefer comprehensive security solutions.