Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

Tags

External References

• https://www.proofpoint.com/
• https://otx.alienvault.com/

Description

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task to communicate with a staging domain and manually deploying WmRAT and MiyaRAT malware. These RATs enable intelligence gathering and data exfiltration. The attack utilized NTFS alternate data streams and masqueraded files to evade detection. TA397's infrastructure included separate staging and command and control domains. The threat actor's tactics, targeting, and malware indicate it is likely an intelligence collection effort supporting a South Asian government's interests.

Date