Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced threat tracked as Bitter. Bitter has been allegedly active since 2013, attacking China, Pakistan, and Saudi Arabia with tools including BitterRAT and AntraDownloader. SECUINFRA, a Berlin-based cybersecurity firm, found that these threat actors are conducting espionage by deploying RATs via malicious document files and intermediate malware stages. These findings were built on a previous report from Cisco Talos, which disclosed the group’s expansion in targeting Bangladeshi government organizations with the
ZxxZ backdoor. Bitter’s most recent attack is believed to have been conducted in May, using a weaponized Excel document distributed by means of a spear-phishing email that exploits the Microsoft Equation Editor exploit (CVE-2018-0798) to drop the next-stage binary from a remote server. ZxxZ is then deployed, which enables the adversary to load additional malware onto the target system.