2024-12-27 12:13:35 Pacfic
Bitter APT Targets Turkish Defense Sector - 8d
The Bitter APT group, also known as TA397, is actively targeting the Turkish defense sector using sophisticated spearphishing techniques. Proofpoint researchers have uncovered an attack chain utilizing RAR archives containing hidden Alternate Data Streams (ADS). These streams conceal malicious LNK files that, when executed, create scheduled tasks to download the WmRAT and MiyaRAT malware. The attack used a lure of infrastructure projects in Madagascar to entice victims to open the malicious files. The use of NTFS ADS, a feature that allows hidden data streams within files, is a key tactic employed by Bitter to conceal their malicious payloads.
This campaign highlights the group's focus on espionage, leveraging the RAT capabilities of WmRAT and MiyaRAT to collect host information, upload/download files, and take screenshots. Bitter, a suspected South Asian cyber espionage threat group, has a history of targeting entities in Asia and has been linked to other malware deployments, demonstrating their persistent and evolving threat capabilities. This latest attack campaign underscores the group's ability to adapt and utilize advanced techniques to compromise target systems. The researchers have tracked this group under various names including APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali, indicating its long history of activity.
ImgSrc: www.proofpoint.com
References:
- @VirusBulletin - Proofpoint researchers observed TA397 spear phishing that targeted a Turkish defence sector organization. The attack chain used alternate data streams in a RAR to deliver a shortcut (LNK) file that cr - 8d
- The Hacker News - A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. - 8d
- Security Risk Advisors - #TA397 (Bitter #APT) targets the Turkish defense sector with #spearphishing, NTFS Alternate Data Streams, and #malware (#WmRAT/#MiyaRAT). - 8d
- GBHackers Security - Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload - 7d
- Proofpoint Threat Insight - TA397 Exploits NTFS Alternate Data Streams to Target Turkish Defense Sector - 7d
Classification:
- HashTags: BitterAPT Spearphishing Malware
- Company: Proofpoint
- Target: Turkish defense sector
- Attacker: Bitter APT
- Product: WmRAT, MiyaRAT
- Feature: Alternate Data Streams
- Type: Espionage
- Severity: Major