Cyber Incident Victim: Government of Bangladesh

The Bitter advanced persistent threat (APT) group conducted a cyberespionage campaign targeting Bangladeshi government entities beginning in August 2021, deploying newly identified malware with remote execution capabilities. Attackers initiated two distinct infection chains via spear-phishing emails spoofed to appear as originating from Pakistani government organizations, leveraging document themes related to call records and number verification relevant to official operations. One chain distributed RTF documents exploiting CVE-2017-11882, triggering remote code execution through Microsoft Office’s Equation Editor component to execute Return-Oriented Programming gadgets that downloaded encrypted shellcode from the domain olmajhnservice[.]com. The second chain delivered XLSX spreadsheets exploiting CVE-2018-0798 and CVE-2018-0802, establishing persistence by creating scheduled tasks to retrieve malicious payloads every five minutes. Both exploits targeted unpatched Microsoft Office installations to deploy the ZxxZ malware, a 32-bit Windows executable designed to download additional modules with generic filenames.

The ZxxZ malware employed privilege escalation techniques by masquerading as Windows updates and incorporated anti-detection measures including string obfuscation and termination of antivirus processes. Upon successful execution, it activated information-stealing functions to exfiltrate victim data to command-and-control servers, persisting through 225 retry attempts if initial payload loading failed. Cisco Talos attributed the campaign to Bitter based on infrastructure overlaps with historical operations, consistent string encryption methods, and module naming conventions. The sustained targeting aligned with Bitter’s decade-long focus on South Asian governmental entities. Security analysts disseminated indicators of compromise to enable network defenders to identify and mitigate threats associated with the group’s evolving toolset.