One Article Review
| Source |  ProofPoint |
|---|---|
| Identifiant | 8626533 |
| Date de publication | 2024-12-17 08:31:31 (vue: 2024-12-17 12:08:03) |
| Titre | Hidden in Plain Sight: TA397\\'s New Attack Chain Delivers Espionage RATs |
| Texte | Key findings Proofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with a lure about public infrastructure projects in Madagascar. The attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a scheduled task on the target machine to pull down further payloads. TA397 was observed manually delivering WmRAT and MiyaRAT malware families in the final stages of this attack chain. Both malware families are designed to enable intelligence gathering and exfiltration. Proofpoint assesses TA397 campaigns are almost certainly intelligence collection efforts in support of a South Asian government\'s interests. Overview On November 18, 2024, TA397 (also known by third-party researchers as Bitter) targeted a defense sector organization in Turkey with a spearphishing lure. The email included a compressed archive (RAR) file attachment containing a decoy PDF (~tmp.pdf) file detailing a World Bank public initiative in Madagascar for infrastructure development, a shortcut (LNK) file masquerading as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file that contained PowerShell code. The lure contained the subject “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” which closely matched the LNK file name masquerading as a PDF within the RAR archive: “PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk”. This subject line theme is very common for TA397, as the majority of the organizations they target are either in the public sector or receive public investments and is indicative of the targeted nature of their campaigns. The usage of RAR archives is a staple tactic of TA397 payload delivery. Throughout the first half of 2024, Proofpoint has observed TA397 utilizing Microsoft Compiled Help Files (CHM) files within RAR archives as a means of creating scheduled tasks on target machines. This blog post details TA397\'s usage of NTFS alternate data streams (ADS) in combination with PDF and LNK files to gain persistence, which facilitates the deployment of further malware. This research also looks at the continued usage of wmRAT by TA397, the recently discovered MiyaRAT - a contemporary addition to the threat actor\'s arsenal – and the associated infrastructure of TA397. Infection chain The spearphishing email originated from a compromised email account belonging to a government organization and contained a RAR archive with a variety of artifacts inside. Alongside the LNK file, was a “~tmp.pdf” file and two NTFS alternate data streams (ADS), one titled “Participation” and the other a “Zone.Identifier”. Illustration of the TA397 infection chain. When opening the RAR file, the target would only see the LNK file as the ADS streams are hidden from the user when using Windows\' built in RAR extraction utility, or WinRAR. Further, the PDF had the attribute Hidden, System & Files ready for archiving (HSA) enabled so the user is lured to believe that a PDF file is being opened due to the extension pdf.lnk. By default, Windows hides the real extension of a file. However, if the RAR is opened in 7-Zip, the user can view and extract the NTFS ADS streams on Windows systems (NTFS file formatted system): 7-Zip view on 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1. ADS streams are a feature of the NTFS file system in Windows that allows users to attach data streams to a file. There are certain archive formats and software that allow ADS streams to be included into the archive container along with the file. The archive format used in this attack chain is RAR v5 which allows the storage of NTFS ADS streams. The Zone.Identifier stream is an ADS introduced in older Windows versions as a security feature. It stores information about the origin of a file, such as the URL Security Zone (e.g., Zone 3 for the internet |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | */* //jacknwoods //www /namespace: /norestart /qn 000 06 07 07/238 0x25 0x43 0| 0 125 19044|3 106 10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f 12 12: 13: 142 151 155 155 15: 18 180 185 19: 2024 2025 2058192 215 21: 228 228 22: 23 244 24: 25 26: 27: 31: 3 47408 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1 56189 : ``` abc able about academymusica accept: access account across acted active activity actor added addition additionally address ads advanced after against agent: ain= align all allow allows almost along alongside also alternate although amounts analysis analysis analyzed another antivirus antivirusproduct any apac approximately apt arbitrary archive archive: archives archiving are arsenal artifacts asian assess assesses assessment associated assuming asterisks attach attachment attack attacker attempted attempts attribute attributed attribution automatically available backdoors bank base64 based basic bears been begins behavior being believe belonging below below: between bitter blob blob: blog both browsers built but byte c++ c2 c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 calling campaign campaigns can capability case caused center certain certainly certificate chain chain changes character characteristics check chm cipher classic clear cleartext client close closely cmd cmd cnstaller code collection com com com com/chthuo com/gfxview com/jacds combination command command: commands common communicate communication communications compiled compressed compromised computer computername comresolved concurs conhost connect connectivity connects consistently contained container containing contains contemporary content continue continued controlled copious copying create create/modification created creates creating creation curl curl/7 currently data decoded decoding decoy decrpytion decrypt decrypted decrypting decryption decrypts dedicated deems default defend defenders defense del deliver delivering delivers delivery delz demonstrates deploy deploying deployment description designated designed detailed detailing details determine determined determines developer development different dir directly directories directories directory directory directory/file discovered disk displayed displayname distinct distribute divided document does doing domain domain domain domains done down download downloaded downloading downloads drives dropped dropper dropping due each earlier efforts either email emea enable enabled encoded encrypt encrypted endianness endpoint energy engineering entire enumerate enumerated enumerating environment espionage even every evolution exact example exec execute executes execution exe” exfil exfil exfil exfiltrating exfiltration exit exit expected explorer extension extract extracted extraction f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733 facilitates fail falls families far feature fields file file file= filepath files fill final finally findings first focused following follows: forensic format formats formatted frequently from function functionality further gain gaining gather gathered gathering gathers gdir generally generate generates generator geolocation get getdynamictimezoneinformation gfs gfxview given global godaddy government gss had half handler handler hardcoded has have having headless help here hidden hides high historical historically historically: host host host: hosting hostname hours how however hsa http://jacknwoods hxxp hxxps identified identifier identifiers identifier” identify illustration implant implementation included indeed indicates indicative indicator industry infection infection information information information: infrastructure inh |
| Tags | Malware Tool Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.