Beware! New ZxxZ Trojan Used by Bitter APT
Security researchers have been tracking an ongoing malicious campaign targeting entities located in Bangladesh. The campaign has been in progress since the second half of last year and makes use of a new Trojan dubbed ZxxZ.
Researchers are attributing the malicious campaign to the Bitter APT even though Bitter had previously been targeting entities in China, Saudi Arabia and Pakistan. The command and control server infrastructure shows sufficient overlap to give "moderate confidence" that the new campaign is also run by Bitter.
The campaign spreading the ZxxZ trojan is targeting high-ranking government officials in Balgladesh and uses lures related to regular tasks carried out in those departments. The malicious attachment in the emails is an office file tweaked to launch the equation editor and exploit it to run shellcode. The malicious files abuse three known MS Office vulnerabilities.
Once the shellcode executes, it grabs the ZxxZ payload off a remote server and runs it. The malware is tailored to appear like a Windows security update service. ZxxZ gives its operators remote code execution capabilities, which means further malware can be downloaded on the victim system.
All of this makes ZxxZ a serious threat for systems running outdated MS Office installs. The trojan can lead to considerable issues for the victim and open victims up for data theft and espionage.