WmRAT and MiyaRAT Malware Attack Windows Using Weaponized PDF

A Turkish defense sector organization has been the target of an advanced persistent threat (APT) group known as TA397, which has recently been observed employing a new attack chain intended to target the organization. 

A socially engineered document that is disguised as a report on Madagascar’s public infrastructure projects is used by the group to entice victims to engage in the activity. 

A malicious LNK file is concealed within this document, which is hidden within a RAR archive and makes use of NTFS Alternate Data Streams (ADS) to conceal one. 

7-Zip view

Whenever this LNK file is executed, it creates a persistent scheduled task on the system of the victim. After that, the task will retrieve additional payloads, which may include Remote Access Trojans (RATs) such as WmRAT and MiyaRAT. 

The shift from previous tactics, which involved using Microsoft Compiled Help Files (CHM) within RAR archives, demonstrates TA397’s evolving capabilities and its intent to evade detection by security solutions. 

Legitimate PDF used as a decoy document in the campaign. 

Through the incorporation of ADS into their attack chain, TA397 demonstrates its capacity to modify and improve its methods in order to maintain a persistent presence on systems that have been successfully compromised. 

By utilizing this innovative strategy, the group is able to circumvent conventional security measures and carry out malicious activities without being discovered. 

First payload observed.  

The successful exploitation of this attack chain highlights the importance of staying informed about the latest threat actor tactics and implementing robust security measures to protect against advanced cyber threats.

TA397, a South Asian APT, has been observed using RAR archives to deliver malware payloads that create scheduled tasks on target machines, which primarily targets organizations in the defense sector in EMEA and APAC regions.

Proofpoint researchers believe MiyaRAT is reserved for high-value targets due to its sporadic deployment. The group’s activity aligns with UTC+5:30 working hours, suggesting manual deployment of malware.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here