The attack is linked to TA397 (Bitter), a South Asian cyber espionage group known for targeting governments, critical infrastructure, and defense organizations.
Proofpoint researchers recently uncovered an attack targeting a Turkish defense organization. The attack is linked to TA397 (Bitter), a South Asian cyber espionage group known for targeting governments, critical infrastructure, and defense organizations.
Initial Attack Vector
The attack began on November 18, 2024. TA397 used a spearphishing email with a subject about public works projects in Madagascar. The email contained a RAR archive. The subject, “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR,” closely resembled the name of a shortcut file inside: “PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk”. This tactic, along with the public works theme, matches TA397’s past focus on groups linked to the public sector or public funding.
Hidden Payload
The RAR archive held three key items:
- A fake PDF document about a World Bank project in Madagascar (a distraction)
- The shortcut file disguised as a PDF
- Two NTFS alternate data streams (ADS) named “Participation” and “Zone.Identifier.” ADS are a feature of the NTFS file system that allows hidden data to be added to files. The “Zone.Identifier” stream is a standard Windows feature marking a file’s origin. The “Participation” stream held a base64-encoded PowerShell script.
Execution and Initial Communication
Standard Windows tools used to open the RAR archive only show the shortcut file, as ADS are hidden by default. When the shortcut is clicked, it runs a command that executes the hidden PowerShell script from the “Participation” ADS. This script then does two things: it opens the fake PDF to distract the user and creates a scheduled task named “DsSvcCleanup.” This task sends the target’s computer name and username every 17 minutes to a domain linked to TA397: jacknwoods[.]com.
Malware Deployment
This jacknwoods[.]com domain served as a base for sending the actual malware. TA397 operators manually responded to these requests, sending two different RATs: WmRAT and MiyaRAT. First, they sent WmRAT through an MSI installer (“anvrsa.msi”). When initial contact with WmRAT failed, TA397 remotely checked the affected system for details such as running programs and installed antivirus software, sending this information back to jacknwoods[.]com. They then sent MiyaRAT, also using an MSI installer (“gfxview.msi”).
WmRAT and MiyaRAT
WmRAT, written in C++, is a typical RAT (Remote Access Trojan). It can manage files, take screenshots, track location, and run commands. It talks to its command-and-control (C2) server (academymusica[.]com) using a simple code and uses methods to avoid security tools. MiyaRAT, also C++, has similar abilities but uses a different C2 (samsnewlooker[.]com) and a different way of decoding its settings. It also encrypts its first message to the C2.
Implications
Using RAR archives and scheduled tasks, plus dropping both WmRAT and MiyaRAT (maybe saving the latter for high-value targets), is a hallmark of TA397 activity. It shows they're still running their espionage operations, targeting organizations in Europe, the Middle East, and Asia, likely for a South Asian government.
To defend against these attacks:
- Watch for unusual scheduled tasks.
- Check RAR archives for hidden ADS.
- Monitor network traffic for contact with known TA397 servers.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.