| Category | Details |
|---|---|
| Threat Actors | Bitter (also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, TA397) |
| Campaign Overview | Targeted a Turkish defense sector organization in November 2024 using WmRAT and MiyaRAT malware |
| Target Regions/Victims | Turkish defense sector; previously targeted China, Pakistan, India, Saudi Arabia, and Bangladesh |
| Methodology | Spear-phishing emails with RAR archives containing LNK files; use of Alternate Data Streams (ADS) for payload delivery |
| Product Targeted | Defense sector organizations, leveraging decoy documents about infrastructure projects |
| Malware Reference | WmRAT, MiyaRAT, BitterRAT, ArtraDownloader, ZxxZ |
| Tools Used | LNK files, PowerShell scripts, scheduled tasks, ADS, cmd.exe |
| Vulnerabilities Exploited | NTFS Alternate Data Streams feature to smuggle malicious payloads |
| TTPs | - Use of decoy documents - Obfuscated PowerShell scripts - Scheduled tasks for persistence - Staging domains for payload delivery |
| Attribution | Likely South Asian state-sponsored group supporting intelligence collection efforts |
| Recommendations | - Monitor and block access to suspicious domains like jacknwoods[.]com- Disable execution of LNK files from untrusted sources - Deploy EDR solutions to detect use of ADS and unusual PowerShell activity - Conduct user awareness training to recognize spear-phishing attempts |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/bitter-apt-targets-turkish-defense.html
The above summary has been generated by an AI language model
Leave a Reply