A suspected South Asian cyber espionage risk group often known as Bitter focused a Turkish protection sector group in November 2024 to ship two C++-malware households tracked as WmRAT and MiyaRAT.
“The assault chain used alternate information streams in a RAR archive to ship a shortcut (LNK) file that created a scheduled activity on the goal machine to drag down additional payloads,” Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin mentioned in a report shared with The Hacker Information.
The enterprise safety firm is monitoring the risk actor below the title TA397. Identified to be energetic since a minimum of 2013, the adversary can also be known as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.
Prior assaults performed by the hacking group have focused entities in China, Pakistan, India, Saudi Arabia, and Bangladesh with malware resembling BitterRAT, ArtraDownloader, and ZxxZ, indicating a heavy Asian focus.
Bitter has additionally been linked to cyber assaults which have led to the deployment of Android malware strains like PWNDROID2 and Dracarys, per experiences from BlackBerry and Meta in 2019 and 2022, respectively.
Earlier this March, cybersecurity firm NSFOCUS revealed that an unnamed Chinese language authorities company was subjected to a spear-phishing assault by Bitter on February 1, 2024, that delivered a trojan able to information theft and distant management.
The newest assault chain documented by Proofpoint concerned the risk actor utilizing a lure about public infrastructure initiatives in Madagascar to entice potential victims into launching the booby-trapped RAR archive attachment.
Current inside the RAR archive was a decoy file a few World Financial institution public initiative in Madagascar for infrastructure improvement, a Home windows shortcut file masquerading as a PDF, and a hidden alternate information stream (ADS) file containing PowerShell code.
ADS refers to a characteristic that was launched within the New Expertise File System (NTFS) utilized by Home windows to connect and entry information streams to a file. It may be used to smuggle further information right into a file with out affecting its dimension or look, thereby giving risk actors a sneaky solution to conceal the presence of a malicious payload contained in the file document of a innocent file.
Ought to the sufferer launch the LNK file, one of many information streams comprises code to retrieve a decoy file hosted on the World Financial institution web site, whereas the second ADS features a Base64-encoded PowerShell script to open the lure doc and arrange a scheduled activity liable for fetching the final-stage payloads from the area jacknwoods[.]com.
Each WmRAT and MiyaRAT, as beforehand detailed by QiAnXin, include normal distant entry trojan (RAT) capabilities, permitting the malware to gather host data, add or obtain recordsdata, take screenshots, get geolocation information, enumerate recordsdata and directories, and run arbitrary instructions through cmd.exe or PowerShell.
It is believed that the usage of MiyaRAT is reserved for high-value targets owing to the truth that it has been selectively deployed in solely a handful of campaigns.
“These campaigns are nearly actually intelligence assortment efforts in assist of a South Asian authorities’s pursuits,” Proofpoint mentioned. “They persistently make the most of scheduled duties to speak with their staging domains to deploy malicious backdoors into goal organizations, for the aim of having access to privileged data and mental property.”
