Bitter, a suspected South Asian cyber espionage threat group, was recently involved in targeting a Turkish defense sector organization in November 2024. This attack saw the delivery of two C++-malware families known as WmRAT and MiyaRAT. The attack chain utilized alternate data streams in a RAR archive to deliver a shortcut (LNK) file, which then created a scheduled task on the target machine to pull down further payloads, according to a report by Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin.
The threat actor, known as TA397, has been active since at least 2013 and has been associated with several aliases such as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali. Previous attacks by this group have targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh using malware like BitterRAT, ArtraDownloader, and ZxxZ, indicating a strong focus on Asian countries.
Bitter has also been linked to cyber attacks involving the deployment of Android malware strains like PWNDROID2 and Dracarys in 2019 and 2022, respectively. In a spear-phishing attack on an unnamed Chinese government agency in February 2024, Bitter delivered a trojan capable of data theft and remote control.
The recent attack documented by Proofpoint involved the threat actor using a lure related to public infrastructure projects in Madagascar to trick victims into launching a booby-trapped RAR archive attachment. Within the archive was a decoy file about a World Bank initiative in Madagascar, a Windows shortcut file posing as a PDF, and a hidden alternate data stream (ADS) file containing PowerShell code.
ADS is a feature introduced in the New Technology File System (NTFS) used by Windows to attach and access data streams to a file, allowing threat actors to hide malicious payloads without affecting the file’s appearance. If the victim launches the LNK file, a data stream retrieves a decoy file hosted on the World Bank site, while the second ADS contains a Base64-encoded PowerShell script to open the lure document and set up a scheduled task to fetch final-stage payloads from the domain jacknwoods[.]com.
Both WmRAT and MiyaRAT are equipped with standard remote access trojan (RAT) capabilities, enabling them to perform various malicious actions such as collecting host information, uploading/downloading files, taking screenshots, geolocating, enumerating files/directories, and running commands via cmd.exe or PowerShell. MiyaRAT is believed to be selectively deployed in high-value target campaigns, likely in support of a South Asian government’s intelligence collection efforts to gain access to privileged information and intellectual property.
The persistence and sophistication of Bitter’s attacks highlight the ongoing threats posed by cyber espionage groups, emphasizing the need for robust cybersecurity measures to protect organizations from such malicious activities.
If you found this article interesting, follow The Hacker News on Twitter and LinkedIn for more exclusive content.