In November 2024, the South Asian cyber espionage group, Bitter APT, launched a sophisticated attack on Turkey’s defense sector using two advanced malware families—WmRAT and MiyaRAT. The campaign involved the use of a RAR archive with alternate data streams (ADS) to deliver a malicious shortcut (LNK) file. The LNK file, when opened, triggered a scheduled task that pulled down additional malicious payloads. This technique highlights the group’s continued use of advanced tactics to bypass detection and maintain persistence within target systems.
The malicious RAR archive contained a decoy document, designed to lure the victim into executing the payload, which appeared to be a legitimate World Bank initiative on infrastructure projects in Madagascar. In addition to the decoy file, the archive included a Windows shortcut file that masqueraded as a PDF and a hidden ADS file containing PowerShell code. This code, once activated, would retrieve the decoy file and deploy further malicious components, ensuring that the attack remained covert and effective.
Both WmRAT and MiyaRAT, the primary malware used in the attack, are remote access trojans (RATs) with robust capabilities. These include the ability to collect system information, upload and download files, take screenshots, enumerate files, and execute arbitrary commands. The selective use of MiyaRAT in this campaign suggests that the attackers were targeting high-value assets, making it clear that the operation was aimed at obtaining sensitive and strategic information from Turkish defense entities.
This attack aligns with the broader intelligence-gathering objectives of Bitter APT, which has a history of targeting organizations in countries such as China, India, Pakistan, Saudi Arabia, and Bangladesh. By exploiting advanced techniques like ADS and carefully crafted lures, Bitter APT demonstrates its ability to evolve and refine its tactics for high-priority missions. The attack on Turkey’s defense sector highlights the persistent and growing threat of cyber espionage and the need for heightened defenses against these increasingly sophisticated adversaries.
Reference:
