| Category | Details |
|---|---|
| Threat Actors | TA397 (also known as Bitter) |
| Campaign Overview | Targeted Turkish defense sector with spearphishing email containing RAR archive with malicious payloads; aimed at intelligence gathering. |
| Target Regions | Turkey (EMEA), government, defense, energy, telecommunications, and engineering sectors. |
| Methodology | Spearphishing email with RAR archive, LNK file, and NTFS alternate data streams (ADS) to deliver malware; uses scheduled tasks for persistence. |
| Product Targeted | Government and defense sector organizations |
| Malware Reference | WmRAT, MiyaRAT |
| Tools Used | RAR archive, LNK file, NTFS alternate data streams (ADS), PowerShell, curl, MSI installer |
| Vulnerabilities Exploited | No specific software vulnerabilities; relies on social engineering and malicious payload delivery |
| TTPs | Spearphishing, RAR archive payload delivery, NTFS ADS, scheduled task creation, PowerShell for payload execution, exfiltration via command line |
| Attribution | APT TA397 (Bitter), likely associated with a South Asian government |
| Recommendations | Monitor for scheduled tasks, inspect RAR file usage, block suspicious domains, use security tools to detect NTFS ADS and PowerShell-based attacks |
| Source | Proofpoint |
Read full article: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
The above summary has been generated by an AI language model
Related posts:
New Cyber-Espionage Campaign Detection: Suspected China-Backed Actors Target High-Profile Organizations in Southeast Asia
Chinese Nation-State Hackers APT41 Attack Gambling Sector for Financial Gain
Dark Web Profile: Patchwork APT
UAC-0125 Abuses Cloudflare Workers to Distribute Malware Disguised as Army+ App
UAC-0125 Abuses Cloudflare Workers to Distribute Malware Disguised as Army+ App
Leave a Reply