A suspected South Asian cyber espionage menace group often known as Bitter focused a Turkish protection sector group in November 2024 to ship two C++-malware households tracked as WmRAT and MiyaRAT.
“The assault chain used alternate knowledge streams in a RAR archive to ship a shortcut (LNK) file that created a scheduled job on the goal machine to drag down additional payloads,” Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin stated in a report shared with The Hacker Information.
The enterprise safety firm is monitoring the menace actor beneath the title TA397. Identified to be lively since at the very least 2013, the adversary can also be known as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.
Prior assaults performed by the hacking group have focused entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware equivalent to BitterRAT, ArtraDownloader, and ZxxZ, indicating a heavy Asian focus.
Bitter has additionally been linked to cyber assaults which have led to the deployment of Android malware strains like PWNDROID2 and Dracarys, per reviews from BlackBerry and Meta in 2019 and 2022, respectively.
Earlier this March, cybersecurity firm NSFOCUS revealed that an unnamed Chinese language authorities company was subjected to a spear-phishing assault by Bitter on February 1, 2024, that delivered a trojan able to knowledge theft and distant management.
The newest assault chain documented by Proofpoint concerned the menace actor utilizing a lure about public infrastructure tasks in Madagascar to entice potential victims into launching the booby-trapped RAR archive attachment.
Current inside the RAR archive was a decoy file a few World Financial institution public initiative in Madagascar for infrastructure improvement, a Home windows shortcut file masquerading as a PDF, and a hidden alternate knowledge stream (ADS) file containing PowerShell code.
ADS refers to a function that was launched within the New Expertise File System (NTFS) utilized by Home windows to connect and entry knowledge streams to a file. It may be used to smuggle further knowledge right into a file with out affecting its measurement or look, thereby giving menace actors a sneaky approach to conceal the presence of a malicious payload contained in the file file of a innocent file.
Ought to the sufferer launch the LNK file, one of many knowledge streams comprises code to retrieve a decoy file hosted on the World Financial institution web site, whereas the second ADS features a Base64-encoded PowerShell script to open the lure doc and arrange a scheduled job accountable for fetching the final-stage payloads from the area jacknwoods[.]com.
Each WmRAT and MiyaRAT, as beforehand detailed by QiAnXin, include customary distant entry trojan (RAT) capabilities, permitting the malware to gather host data, add or obtain information, take screenshots, get geolocation knowledge, enumerate information and directories, and run arbitrary instructions by way of cmd.exe or PowerShell.
It is believed that the usage of MiyaRAT is reserved for high-value targets owing to the truth that it has been selectively deployed in solely a handful of campaigns.
“These campaigns are nearly definitely intelligence assortment efforts in assist of a South Asian authorities’s pursuits,” Proofpoint stated. “They persistently make the most of scheduled duties to speak with their staging domains to deploy malicious backdoors into goal organizations, for the aim of getting access to privileged data and mental property.”
