A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT.
“The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads,” Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin said in a report shared with The Hacker News.
The enterprise security company is tracking the threat actor under the name TA397. Known to be active since at least 2013, the adversary is also referred to as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.
Prior attacks conducted by the hacking group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware such as BitterRAT, ArtraDownloader, and ZxxZ, indicating a heavy Asian focus.
Bitter has also been linked to cyber attacks that have led to the deployment of Android malware strains like PWNDROID2 and Dracarys, per reports from BlackBerry and Meta in 2019 and 2022, respectively.
Earlier this March, cybersecurity company NSFOCUS revealed that an unnamed Chinese government agency was subjected to a spear-phishing attack by Bitter on February 1, 2024, that delivered a trojan capable of data theft and remote control.
The latest attack chain documented by Proofpoint involved the threat actor using a lure about public infrastructure projects in Madagascar to entice prospective victims into launching the booby-trapped RAR archive attachment.
Present within the RAR archive was a decoy file about a World Bank public initiative in Madagascar for infrastructure development, a Windows shortcut file masquerading as a PDF, and a hidden alternate data stream (ADS) file containing PowerShell code.
ADS refers to a feature that was introduced in the New Technology File System (NTFS) used by Windows to attach and access data streams to a file. It can be used to smuggle additional data into a file without affecting its size or appearance, thereby giving threat actors a sneaky way to conceal the presence of a malicious payload inside the file record of a harmless file.
Should the victim launch the LNK file, one of the data streams contains code to retrieve a decoy file hosted on the World Bank site, while the second ADS includes a Base64-encoded PowerShell script to open the lure document and set up a scheduled task responsible for fetching the final-stage payloads from the domain jacknwoods[.]com.
Both WmRAT and MiyaRAT, as previously detailed by QiAnXin, come with standard remote access trojan (RAT) capabilities, allowing the malware to collect host information, upload or download files, take screenshots, get geolocation data, enumerate files and directories, and run arbitrary commands via cmd.exe or PowerShell.
It’s believed that the use of MiyaRAT is reserved for high-value targets owing to the fact that it has been selectively deployed in only a handful of campaigns.
“These campaigns are almost certainly intelligence collection efforts in support of a South Asian government’s interests,” Proofpoint said. “They persistently utilize scheduled tasks to communicate with their staging domains to deploy malicious backdoors into target organizations, for the purpose of gaining access to privileged information and intellectual property.”
