WmRAT and MiyaRAT malware are used by Bitter APT to target the Turkish defense industry.
In November 2024, two C++-malware families identified as WmRAT and MiyaRAT were delivered to a Turkish defense sector business by Bitter, a suspected South Asian cyber espionage threat outfit. In a report provided to The Hacker News, Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin stated that "the attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads."
In November 2024, two C++-malware families identified as WmRAT and MiyaRAT were delivered to a Turkish defense sector business by Bitter, a suspected South Asian cyber espionage threat outfit. In a report provided to The Hacker News, Proofpoint researchers Nick Attfield, Konstantin Klinger, Pim Trouerbach, and David Galazin stated that "the attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads."
The threat actor, known as TA397, is being tracked by the enterprise security firm. The adversary is also known as APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali, and has been known to be active since at least 2013. The hacker gang has a strong Asian focus, as seen by previous attacks that used malware including BitterRAT, ArtraDownloader, and ZxxZ to target organizations in China, Pakistan, India, Saudi Arabia, and Bangladesh.
According to reports from BlackBerry in 2019 and Meta in 2022, Bitter has also been connected to cyberattacks that have resulted in the spread of Android malware variants including PWNDROID2 and Dracarys. The cybersecurity firm NSFOCUS disclosed earlier this March that on February 1, 2024, Bitter launched a spear-phishing attempt against an unidentified Chinese government agency, delivering a trojan that could steal data and take over remotely.
The threat actor in the most recent assault chain that Proofpoint documented used a lure concerning public infrastructure projects in Madagascar to draw potential victims into launching the booby-trapped RAR archive attachment. The RAR archive contained a covert alternate data stream (ADS) file with PowerShell code, a Windows shortcut file posing as a PDF, and a fake file regarding a World Bank public effort for infrastructure development in Madagascar.
The New Technology File System (NTFS), which Windows uses to attach and read data streams to files, introduces a feature known as ADS. Threat actors can use it to covertly hide the existence of a dangerous payload inside the file record of a harmless file by smuggling extra data into it without changing its size or appearance. While the second ADS contains a Base64-encoded PowerShell script to open the lure document and set up a scheduled task responsible for fetching the final-stage payloads from the domain jacknwoods[.]com, the first data stream contains code to retrieve a decoy file hosted on the World Bank site if the victim launches the LNK file.
As previously explained by QiAnXin, WmRAT, and MiyaRAT both have standard remote access trojan (RAT) features that let the malware gather host information, upload or download files, take screenshots, obtain geolocation information, list files, and directories, and execute arbitrary commands using PowerShell or cmd.exe. Because MiyaRAT has only been used selectively in a few different contexts, it is thought that its use is limited to high-value targets.
"These campaigns are almost certainly intelligence collection efforts in support of a South Asian government's interests," Proofpoint stated. "They persistently utilize scheduled tasks to communicate with their staging domains to deploy malicious backdoors into target organizations, to gain access to privileged information and intellectual property."