A sophisticated cyber espionage group, known as Bitter (TA397), launched a targeted attack against a Turkish defense organization in November 2024, deploying advanced malware families WmRAT and MiyaRAT.
The attack utilized a complex delivery method involving RAR archives with alternate data streams (ADS) to deploy a shortcut file, which created scheduled tasks for downloading additional malicious payloads. The initial compromise vector involved a phishing email containing a deceptive attachment about Madagascar infrastructure projects.
Bitter, active since 2013, has historically targeted organizations across Asia, including China, Pakistan, India, Saudi Arabia, and Bangladesh. The group’s arsenal includes various malware strains such as BitterRAT, ArtraDownloader, ZxxZ, and Android-specific malware like PWNDROID2 and Dracarys.
The latest attack demonstrated sophisticated techniques:
– Utilized NTFS alternate data streams to hide PowerShell code
– Deployed dual-payload strategy with WmRAT and MiyaRAT
– Created persistent access through scheduled tasks
– Used legitimate World Bank documents as decoys
Both deployed RATs provide comprehensive surveillance capabilities, including:
– System information collection
– File manipulation
– Screenshot capture
– Geolocation tracking
– Remote command execution
Security researchers at Proofpoint believe these operations are state-sponsored intelligence collection efforts, specifically targeting privileged information and intellectual property in support of South Asian government interests.