Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter.
Military entities based in Bangladesh continue to be subject to cyberattacks by the APT group named "Mandranberry".
"Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5.
Cybersecurity firm SECUINFRA said in a new article published on July 5: "Through the malicious document file and intermediate malware phases, threat actors spy by deploying remote access Trojans."
The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ.
The Berlin-based company's findings build on a May report by Cisco Talos that revealed the group was expanding its targets to use a backdoor called ZxxZ to attack Bangladeshi government groups.
Bitter, also tracked under the codenames APT-C-08 and T-APT-17, is said to be active since at least late 2013 and has a track record of targeting China, Pakistan, and Saudi Arabia using different tools such as BitterRAT and ArtraDownloader.
Cranberry is also tracked by other security organizations, code-named APT-C-08 and T-APT-17, and is said to have been active since at least the end of 2013 and has used different tools (such as BitterRAT and Artra Downloader).
The latest attack chain detailed by SECUINFRA is believed to have been conducted in mid-May 2022, originating with a weaponized Excel document likely distributed by means of a spear-phishing email that, when opened, exploits the Microsoft Equation Editor exploit (CVE-2018-0798) to drop the next-stage binary from a remote server.
SECUINFRA discovered that the latest chain of attack information was conducted in mid-May 2022 and originated from a weaponized Excel document that may have been distributed through a spear phishing message that, when opened, exploited the Microsoft Equation Editor vulnerability ( CVE-2018 -0798 ) to download binaries required for the next stage from a remote server.
ZxxZ (or MuuyDownloader by the Qi-Anxin Threat Intelligence Center), as the downloaded payload is called, is implemented in Visual C++ and functions as a second-stage implant that allows the adversary to deploy additional malware.
ZxxZ (or MuuyDownloader of the Qianxin Threat Intelligence Center) serves as a downloaded payload, implemented in Visual C++, and as an implant for the second phase, allowing attackers to deploy additional malware.
The most notable change in the malware involves abandoning the "ZxxZ" separator used when sending information back to the command-and-control (C2) server in favor of an underscore, suggesting that the group is actively making modifications to its source code to stay under the radar.
The most notable change to the malware was to abandon the "ZxxZ" separator used when sending information back to the Command and Control (C2) server in favor of an underscore, indicating that the organization was actively modifying its source code for easy hiding.
Also put to use by the threat actor in its campaigns is a backdoor dubbed Almond RAT, a . NET-based RAT that first came to light in May 2022 and offers basic data gathering functionality and the ability to execute arbitrary commands. Additionally, the implant employs obfuscation and string encryption techniques to evade detection and to hinder analysis.
The attackers also used a backdoor called Almond RAT in their activities, a .NET-based RAT that first came to light in May 2022 and provides basic data collection capabilities and the ability to execute arbitrary commands. In addition, the implant employs obfuscation and string encryption techniques to evade detection and hinder analysis.
"Almond RATs main purposes seem to be file system discovery, data exfiltration and a way to load more tools/establish persistence," the researchers said. "The design of the tools seems to be laid out in a way that it can be quickly modified and adapted to the current attack scenario."
"The main purpose of Almond RAT seems to be a way to discover file systems, data leaks, and load more tools/establish persistence," the researchers said. "The design of these tools seems to be able to be quickly modified and adapted to the current attack scenario."
Those who know others are wise, and those who know themselves are wise. The winner is strong, and the self-victor is strong. The contented are rich, and the forcible have aspirations.
- The Tao Te Ching. Chapter XXXIII