Security analysts have exposed a sophisticated phishing operation targeting an organization in Turkey's defense sector, showcasing the evolving strategies of the threat actor TA397, also known as "Bitter."

Phishing Campaign Breakdown

According to research by Proofpoint, the campaign utilized spear phishing techniques through emails containing RAR archives. These emails deployed malware via sophisticated methods involving NTFS Alternate Data Streams (ADS) and scheduled tasks. The subject line “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” was employed, consistent with TA397's focus on public sector entities and infrastructure initiatives. Within the RAR file, recipients discovered a shortcut (LNK) file masked as a PDF, along with a genuine decoy PDF and two NTFS ADS files. These files were orchestrated to execute malicious PowerShell commands and ensure persistence on the affected system.

Mechanism of Attack

When the RAR archive was accessed, the LNK file executed concealed PowerShell commands embedded in the ADS labeled “Participation.” While presenting the legitimate PDF to the victim, these commands simultaneously established a scheduled task named “DsSvcCleanup.” This task relayed system data every 17 minutes to the attacker-controlled domain jacknwoods[.]com. The scheme allowed the attackers to manually distribute two types of payloads, WmRAT and MiyaRAT, through MSI installers.

Examining the RATs

WmRAT: Developed in C++, this tool is capable of file exfiltration, executing arbitrary commands, and taking screenshots.

MiyaRAT: Another C++-based malware, it extends similar capabilities with additional features like reverse shell commands and enhanced directory navigation. These RATs interact with different command-and-control (C2) domains managed by the attackers, with MiyaRAT seemingly reserved for high-value targets.

Network Infrastructure and Attribution

The campaign leveraged a network of staging and C2 domains whose registration patterns align with past TA397 operations. Attribution points towards espionage activities likely supporting a South Asian government, given the historic focus on defense and public sector targets in EMEA and APAC regions. Proofpoint highlighted that TA397 operates within the UTC+5:30 timezone, reinforcing the hypothesis of a South Asian connection.

The link has been copied!