Cyber Incident Victim: Military entities in Bangladesh
Date:
May 2022
Location:
Bangladesh
Summary
An advanced persistent threat group known as Bitter conducted cyber-espionage operations against military entities in Bangladesh using weaponized Excel documents distributed via spear-phishing emails. The attackers exploited a known Microsoft Equation Editor vulnerability to deliver the ZxxZ payload, which functioned as an initial downloader for a second-stage Visual C++ implant enabling further malware deployment and remote access. The group modified their malware's fingerprinting mechanism by replacing characteristic separators with underscores to evade intrusion detection systems, demonstrating ongoing adaptation of their tactics while maintaining focus on regional targets. The campaign facilitated unauthorized system access and intelligence gathering through persistent remote control capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-May 2022, the advanced persistent threat (APT) group known as Bitter conducted a cyber-espionage campaign targeting military entities in Bangladesh. The attack began with a weaponized Excel document, likely distributed via spear-phishing emails, which exploited the Microsoft Equation Editor vulnerability (CVE-2018-0798) upon opening. This exploit enabled the download and execution of a malicious payload named ZxxZ from a remote server. The payload functioned as a second-stage implant developed in Visual C++, designed to deploy additional malware on compromised systems. Security firm SecuInfra documented this activity, noting it aligned with prior reporting by Cisco Talos in May 2022 regarding Bitter’s expansion targeting Bangladeshi government organizations. The malware facilitated remote access trojan (RAT) deployment, enabling persistent surveillance and data exfiltration capabilities. Attackers utilized intermediate malware stages to obscure their activities, with malicious documents serving as initial infection vectors.
SecuInfra observed Bitter modifying their tactics by replacing the ZxxZ value separator in their payloads with an underscore, a change implemented to bypass intrusion detection and prevention systems (IDS/IPS) that had previously flagged the distinctive separator. This adaptation reflected the group’s ongoing efforts to refine their exploitation approach while maintaining thematic lures relevant to Asian targets. The campaign’s primary objective centered on espionage through sustained network access. Security researchers confirmed all attack samples were uploaded to public malware repositories MalwareBazaar and Malshare for independent analysis. In response to the threat, SecuInfra emphasized the necessity of network and endpoint detection measures alongside prompt patching of vulnerable software like Microsoft Office. The firm committed to continued monitoring of Bitter’s evolving tactics, techniques, and procedures (TTPs) but did not disclose specific mitigation outcomes or victim impact assessments beyond the confirmed compromise methodology.