A South Asian cyber espionage group, commonly referred to as Bitter, has been identified targeting a Turkish defense sector organization in November 2024. The attack leveraged two advanced C++-based malware families, tracked as WmRAT and MiyaRAT, according to research by Proofpoint.
Attack Chain Details
The attack utilized alternate data streams (ADS) within a RAR archive to deploy a malicious shortcut (LNK) file. This file created a scheduled task on the victim's machine, enabling the download of further malicious payloads.
According to a report shared with The Hacker News, Proofpoint researchers—Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin—have been tracking the group under the alias TA397. Bitter, also known by other names like APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali, has been active since at least 2013.
The group's prior campaigns have primarily targeted entities in regions such as China, Pakistan, India, Saudi Arabia, and Bangladesh, deploying malware like BitterRAT, ArtraDownloader, and ZxxZ. This highlights the group's focus on Asian countries.
Bitter's Cyber Activities
Bitter has also been linked to deploying Android malware strains like PWNDROID2 and Dracarys, as documented in reports by BlackBerry and Meta in 2019 and 2022, respectively.
Earlier this year, cybersecurity firm NSFOCUS revealed that Bitter conducted a spear-phishing attack against a Chinese government agency on February 1, 2024. This attack delivered a trojan with capabilities for data theft and remote system control.
The November 2024 Campaign
The most recent attack, analyzed by Proofpoint, involved a decoy themed around public infrastructure projects in Madagascar. Victims were enticed to open a malicious RAR archive attachment.
The RAR archive contained:
- A decoy file about a World Bank infrastructure initiative in Madagascar.
- A Windows shortcut (LNK) file disguised as a PDF document.
- A hidden alternate data stream (ADS) file with embedded PowerShell code.
Alternate Data Streams (ADS) are a feature of the Windows NTFS file system. They allow threat actors to attach hidden data streams to files without altering their size or appearance, making them an ideal method for smuggling malicious code.
If the victim opened the LNK file, it triggered:
- One data stream retrieving a decoy file hosted on the World Bank website.
- Another ADS containing a Base64-encoded PowerShell script that opened the decoy document and created a scheduled task. This task fetched the final payloads from a malicious domain: jacknwoods[.]com.
Capabilities of WmRAT and MiyaRAT
Both WmRAT and MiyaRAT, previously analyzed by QiAnXin, are sophisticated remote access trojans (RATs) with extensive capabilities, including:
- Collecting host information.
- Uploading and downloading files.
- Capturing screenshots.
- Retrieving geolocation data.
- Enumerating files and directories.
- Executing commands via cmd.exe or PowerShell.
Notably, MiyaRAT is selectively deployed for high-value targets, making it a preferred tool for intelligence-gathering campaigns.
Motivations and Goals
Proofpoint's analysis indicates that these campaigns are likely part of intelligence collection efforts serving the interests of a South Asian government. By exploiting scheduled tasks and staging domains, Bitter gains access to privileged information and intellectual property within targeted organizations.
"These campaigns persistently use scheduled tasks to deploy malicious backdoors into target environments, enabling access to sensitive information," Proofpoint concluded.