No clues on the attackers' identity as of yet

Oct 21, 2016 20:35 GMT  ·  By

Pakistan government officials are the target of a recent cyber-espionage campaign from an unknown source, which has been distributing Remote Access Trojans in the hope of infecting targets and stealing sensitive documents.

The attacks targeted individuals in several branches of the Pakistani government and took the form of spear-phishing emails spoofed to look like they came from another Pakistani state official.

The attackers used DOC and XLS files, which were booby-trapped with the CVE-2012-0158 exploit to automatically download and install a RAT from an online server.

BITTER group deployed custom RAT

Security firm Forcepoint discovered the attacks, which they collectively named BITTER based on a common piece of text found in the HTTP requests used to steal data.

Based on malware samples and modus operandi, Forcepoint says BITTER attacks started in November 2013 and went under the radar for all these years.

The mysterious group behind these attacks used a custom RAT to infect targets. Based on an analysis of the RAT's source code, Forcepoint lists its capabilities.

The company says the RAT can collect general system information on the infected computer, open a remote command shell, list processes with active UDP connections, alter running processes, alter local files, and download and execute files from a remote location.

RAT targeted sensitive files for exfiltration

Nevertheless, the RAT's main function is to search for a list of specific file types, such as DOC, PPT, XLS, DOCX, PPTX, XLSX, PDF, ZIP, 7Z, TXT, and RTF.

This type of file extension targeting is reminiscent of economically and politically motivated cyber-espionage campaigns. Taking into account that the BITTER group targeted government officials, the latter reason may be the true purpose of this campaign.

Researchers didn't stop here, though. Forcepoint also discovered that one of the domains where the RATs sent data for storage had been registered with an email address that was used to register domains that hosted the C&C servers for another RAT campaign.

Forcepoint wasn't able to say for certain who this campaign targeted, but they said the RAT, called AndroRAT, was packaged inside an app called Kashmir News, which offered news about a disputed region between India and Pakistan, and an app named Islam Adhan Alarm, an app that alerts to prayer times of Islam, the official state religion of Pakistan.

This latter Android RAT campaign shows that the BITTER group has more than one RAT in its arsenal and that new attacks may be uncovered in the upcoming future.

Forcepoint says it didn't discover enough evidence to attribute the attacks to any previous APT or nation-backed group.