October 21, 2016
Pakistan government officials are the target of a recent cyber-espionage campaign from an unknown source, which has been distributing Remote Access Trojans in the hope of infecting targets and stealing sensitive documents.
The attacks targeted individuals in several branches of the Pakistani government and took the form of spear-phishing emails spoofed to look like they came from another Pakistani state official.
The attackers used DOC and XLS files, which were booby-trapped with the CVE-2012-0158 exploit to automatically download and install a RAT from an online server.
BITTER group deployed custom RAT
Security firm Forcepoint discovered the attacks, which they collectively named BITTER based on a common piece of text found in the HTTP requests used to steal data.
Based on malware samples and modus operandi, Forcepoint says BITTER attacks started in November 2013 and went under the radar for all these years.
The mysterious group behind these attacks used a custom RAT to infect targets. Based on an analysis of the RAT’s source code, Forcepoint lists its capabilities.
The company says the RAT can collect general system information on the infected computer, open a remote command shell, list processes with active UDP connections, alter running processes, alter local files, and download and execute files from a remote location.