Bitter, an APT group reportedly engaged in cyber espionage activities, has been observed targeting the Bangladesh government by leveraging new malware that shows remote file execution functionalities.
The campaign has been active since at least August 2021 and represents a good example of what the Bitter scope is.
Bitter APT Group Campaign: More Details
Threat analysts at Cisco Talos discovered and offered details about this malicious campaign in a report they published.
Considering C2 IP address overlaps with past campaigns, string encryption similarities, and methodology involved in module naming, the researchers attributed this campaign to the Bitter APT group.
The experts noticed two infection chains. Both of them began with a spear-phishing email and targeted different groups within the Bangladeshi government.
These emails come from false email addresses that seem to be from Pakistani government institutions.
This was most probably achieved by exploiting a bug located in the Zimbra mail server that let threat actors send messages from an email account/domain that did not exist.
What makes the difference between the two infection chains is the type of file attached to the malicious email: one includes an .RTF document, while the other contains an .XLSX document.
This campaign targets an