Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced threat tracked as Bitter. Bitter has been allegedly active since 2013, attacking China, Pakistan, and Saudi Arabia with tools including BitterRAT and AntraDownloader. SECUINFRA, a Berlin-based cybersecurity firm, found that these threat actors are conducting espionage by deploying RATs via malicious document files and intermediate malware stages. These findings were built on a previous report from Cisco Talos, which disclosed the group’s expansion in targeting Bangladeshi government organizations with the
ZxxZ backdoor. Bitter’s most recent attack is believed to have been conducted in May, using a weaponized Excel document distributed by means of a spear-phishing email that exploits the Microsoft Equation Editor exploit (CVE-2018-0798) to drop the next-stage binary from a remote server. ZxxZ is then deployed, which enables the adversary to load additional malware onto the target system.
Evidence suggests that Bitter is actively making modifications to its source code to stay undetected. A notable change involves abandoning the “ZxxZ” separator used when sending information back to the command-and-control server in favor of an underscore. Bitter has also used a new backdoor dubbed Almond RAT in their most recent attack. It offers basic data gathering and the ability to execute arbitrary commands. Additionally, it employs obfuscation and string encryption techniques to remain undetected and to hinder analysis. The new design poses a unique threat as it can be quickly modified and adapted to an attack scenario.