A suspected South Asian cyber espionage menace group often known as Bitter focused a Turkish protection sector group in November 2024 to ship two C++-malware households tracked as WmRAT and MiyaRAT.
“The assault chain used alternate information streams in a RAR archive to ship a shortcut (LNK) file that created a scheduled process on the goal machine to drag down additional payloads,” Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin mentioned in a report shared with The Hacker Information.
The enterprise safety firm is monitoring the menace actor underneath the identify TA397. Recognized to be energetic since a minimum of 2013, the adversary can also be known as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.
Prior assaults carried out by the hacking group have focused entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware corresponding to BitterRAT, ArtraDownloader, and ZxxZ, indicating a heavy Asian focus.
Bitter has additionally been linked to cyber assaults which have led to the deployment of Android malware strains like PWNDROID2 and Dracarys, per stories from BlackBerry and Meta in 2019 and 2022, respectively.
Earlier this March, cybersecurity firm NSFOCUS revealed that an unnamed Chinese language authorities company was subjected to a spear-phishing assault by Bitter on February 1, 2024, that delivered a trojan able to information theft and distant management.
The most recent assault chain documented by Proofpoint concerned the menace actor utilizing a lure about public infrastructure initiatives in Madagascar to entice potential victims into launching the booby-trapped RAR archive attachment.
Current throughout the RAR archive was a decoy file a few World Financial institution public initiative in Madagascar for infrastructure improvement, a Home windows shortcut file masquerading as a PDF, and a hidden alternate information stream (ADS) file containing PowerShell code.
ADS refers to a function that was launched within the New Know-how File System (NTFS) utilized by Home windows to connect and entry information streams to a file. It may be used to smuggle extra information right into a file with out affecting its measurement or look, thereby giving menace actors a sneaky technique to conceal the presence of a malicious payload contained in the file report of a innocent file.
Ought to the sufferer launch the LNK file, one of many information streams comprises code to retrieve a decoy file hosted on the World Financial institution web site, whereas the second ADS features a Base64-encoded PowerShell script to open the lure doc and arrange a scheduled process liable for fetching the final-stage payloads from the area jacknwoods[.]com.
Each WmRAT and MiyaRAT, as beforehand detailed by QiAnXin, include customary distant entry trojan (RAT) capabilities, permitting the malware to gather host info, add or obtain recordsdata, take screenshots, get geolocation information, enumerate recordsdata and directories, and run arbitrary instructions through cmd.exe or PowerShell.
It is believed that the usage of MiyaRAT is reserved for high-value targets owing to the truth that it has been selectively deployed in solely a handful of campaigns.
“These campaigns are virtually definitely intelligence assortment efforts in help of a South Asian authorities’s pursuits,” Proofpoint mentioned. “They persistently make the most of scheduled duties to speak with their staging domains to deploy malicious backdoors into goal organizations, for the aim of having access to privileged info and mental property.”