Cyber Incident Victim: Bitter

The Bitter advanced persistent threat group conducted a cyber-espionage campaign targeting Bangladeshi military entities around mid-May 2022, as documented in a July 2022 advisory by SecuInfra cybersecurity experts. Attackers distributed a weaponized Excel document likely through spear-phishing emails, leveraging the patched Microsoft Equation Editor vulnerability CVE-2018-0798 to execute malicious code. Upon successful exploitation, the initial payload retrieved a second-stage implant named ZxxZ from a remote server, which was developed in Visual C++ to enable further malware deployment. This implant facilitated the installation of Remote Access Trojans designed for persistent system access and intelligence gathering. The attack methodology represented a continuation of campaigns previously identified by Cisco Talos in May 2022, which had warned about Bitter's expanding operations against Bangladeshi government targets.

SecuInfra's analysis revealed tactical modifications in Bitter's operations, including the replacement of the distinctive "ZxxZ" value separator with a simple underscore in their fingerprinting function to bypass intrusion detection systems. These changes demonstrated the group's ongoing efforts to evade security measures while maintaining their focus on Asian targets through theme-specific lures. The cybersecurity firm made all identified malware samples available via public repositories MalwareBazaar and Malshare to enable independent verification and collaborative research. Security researchers emphasized the importance of network monitoring and endpoint detection measures while noting Bitter's continued adaptation of Tactics, Techniques, and Procedures. SecuInfra committed to ongoing surveillance of the threat group's activities to document future operational shifts.