Category | Details |
---|---|
Threat Actors | Bitter (also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, TA397) |
Campaign Overview | Targeted a Turkish defense sector organization in November 2024 using WmRAT and MiyaRAT malware |
Target Regions/Victims | Turkish defense sector; previously targeted China, Pakistan, India, Saudi Arabia, and Bangladesh |
Methodology | Spear-phishing emails with RAR archives containing LNK files; use of Alternate Data Streams (ADS) for payload delivery |
Product Targeted | Defense sector organizations, leveraging decoy documents about infrastructure projects |
Malware Reference | WmRAT, MiyaRAT, BitterRAT, ArtraDownloader, ZxxZ |
Tools Used | LNK files, PowerShell scripts, scheduled tasks, ADS, cmd.exe |
Vulnerabilities Exploited | NTFS Alternate Data Streams feature to smuggle malicious payloads |
TTPs | – Use of decoy documents – Obfuscated PowerShell scripts – Scheduled tasks for persistence – Staging domains for payload delivery |
Attribution | Likely South Asian state-sponsored group supporting intelligence collection efforts |
Recommendations | – Monitor and block access to suspicious domains like jacknwoods[.]com – Disable execution of LNK files from untrusted sources – Deploy EDR solutions to detect use of ADS and unusual PowerShell activity – Conduct user awareness training to recognize spear-phishing attempts |
Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/bitter-apt-targets-turkish-defense.html
The above summary has been generated by an AI language model
Leave a Reply