An innovative persistent threat (APT) functioning less than the name of ‘Bitter’ continues to perform cyber-attacks versus armed forces entities in Bangladesh.
The information will come from a group of SecuInfra cybersecurity experts, who released an advisory on Tuesday describing the south-Asian APT’s new strategies.
“Through destructive doc information and intermediate malware phases, the threat actors conduct espionage by deploying Distant Obtain Trojans,” reads the doc.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The SecuInfra findings build on a report published by Talos last May (which disclosed the group’s expansion and intentions to hit Bangladeshi authorities businesses) and protect an attack presumably conducted in mid-May perhaps 2022.
Especially, the attack would have originated from a weaponized Excel doc probably dispersed via a spear-phishing email.
When opened, the email would just take edge of the Microsoft Equation Editor exploit (CVE-2018-0798) to drop a payload named ZxxZ from a remote server.
The destructive code would then be executed in Visual C++ and get the job done as a 2nd-phase implant, allowing destructive actors to deploy added malware.
“Comparing this fingerprinting function to the a single documented by Cisco Talos we can see that Bitter abandoned the ZxxZ price separator (that gave the Downloader its identify) in trade for a simple underscore.”
According to SecuInfra, the APT did this to stay clear of detection via IDS/IPS devices centered on this distinct separator.
“The Bitter danger team continues to use their exploitation strategy in Asia with themed lures and inner adjustments to stay away from current detections,” SecuInfra discussed.
To guard from such attacks, the security scientists said companies and governments really should routinely employ network and endpoint detection and reaction actions and patch usually exploited application like Microsoft Office environment.
“We will continue to watch this menace group and report on adjustments in their Techniques, Approaches and Processes.”
All of the samples pointed out in the SecuInfra advisory have been reportedly produced available via the community Malware repositories MalwareBazaar and Malshare for verification and additional study.
Some parts of this write-up are sourced from:
www.infosecurity-magazine.com
Hive Ransomware Upgraded to Rust to Deliver More Sophisticated Encryption