216.73.217.50

Hidden in Plain Sight: New Attack Chain Delivers Espionage RATs

· Published 17/12/2024 20:58 · Modified 18/12/2024 12:37

Export JSON

Essential information

Published
17/12/2024 20:58
Modified
18/12/2024 12:37
Tags
2024-12-17 alternate data streams apt defense sector espionage miyarat rat scheduled tasks south asia turkey wmrat
Related entities
1 intrusion sets (apt), 17 techniques (mitre), 2 malware, 2 others

Description

An advanced persistent threat group, TA397, targeted a Turkish defense organization with a sophisticated attack chain. The campaign used a RAR archive containing a decoy PDF, a shortcut file, and an Alternate Data Stream with PowerShell code. The infection process involved creating a scheduled task to communicate with a staging domain and manually deploying and malware. These RATs enable intelligence gathering and data exfiltration. The attack utilized NTFS and masqueraded files to evade detection. TA397's infrastructure included separate staging and command and control domains. The threat actor's tactics, targeting, and malware indicate it is likely an intelligence collection effort supporting a South Asian government's interests.

External references