TA397, the notorious cyber threat group also known as Bitter, recently targeted a Turkish defense organization using a sophisticated spearphishing technique. The attack involved a spearphishing email that contained a malicious RAR archive, which in turn included a decoy PDF, a malicious LNK file disguised as a PDF, and an ADS file containing PowerShell code. This technique is a common tactic employed by TA397 to establish persistence and deploy additional malware like wmRAT and the newly identified MiyaRAT.
The attack was carefully crafted to exploit a common theme related to public investment projects, which is consistent with TA397’s targeted approach. By leveraging NTFS ADS, the threat actors were able to execute their malicious payload and gain a foothold within the targeted organization. This method of attack allows TA397 to maintain control over the compromised system and deploy further malware payloads as needed.
The spearphishing email used in the attack contained a malicious RAR archive that included a decoy PDF and a malicious LNK file. The LNK file executed a PowerShell script hidden within the PDF’s ADS stream, which established a persistent backdoor on the targeted system. This backdoor allowed TA397 to send system information to a command-and-control (C2) server, enabling the deployment of additional payloads such as WmRAT and MiyaRAT.
WmRAT, a remote access trojan (RAT) written in C++, is designed to communicate with a C2 server and execute various malicious operations. It can gather system information, exfiltrate files, capture screenshots, and execute arbitrary commands using obfuscation techniques to evade detection. By establishing a connection with a hardcoded C2 server, WmRAT enables the threat actors to take control of the infected system and carry out their malicious activities.
MiyaRAT, another C++-based malware deployed by TA397, communicates with a C2 server after decrypting its domain using a substitution cipher. Once initialized, MiyaRAT collects system information and sends it to the C2 server for further instructions. The threat actors behind TA397 can issue commands to MiyaRAT, enabling operations such as file manipulation, reverse shells, and screenshot capture.
According to security researchers at ProofPoint, TA397 utilized a multi-domain infrastructure to distribute the WmRAT and MiyaRAT payloads. The malware communicated with C2 domains hosted on attacker-controlled infrastructure, allowing the threat actors to maintain persistence and evade detection. These tactics align with previous TA397 campaigns, indicating a sophisticated and evolving threat actor with a specific focus on defense organizations in EMEA and APAC.
The use of RAR archives to deliver malware payloads, along with the strategic deployment of scheduled tasks and similar infrastructure, suggests the involvement of a sophisticated South Asian state actor behind these operations. The ultimate goal of these attacks appears to be the collection of sensitive information for intelligence purposes, highlighting the persistent threat posed by TA397 to organizations in the region.
In conclusion, the recent cyber attack conducted by TA397 against a Turkish defense organization serves as a reminder of the ever-evolving nature of cyber threats and the importance of robust cybersecurity measures to defend against such sophisticated attacks. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against malicious actors like TA397 and safeguard sensitive information from falling into the wrong hands.