Date: 12/18/2024
Severity: High
Summary
On November 18, 2024, TA397 (also known as Bitter) targeted a defense sector organization in Turkey with a spearphishing email. The email included a RAR archive containing a decoy PDF (~tmp.pdf), a malicious LNK file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream (ADS) file with embedded PowerShell code. The subject line, “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR,” mirrored the LNK file name, a tactic frequently used by TA397 to target organizations linked to public investments. This highlights the tailored nature of their campaigns.
Indicators of Compromise (IOC) List
Domains\Urls : | academymusica.com samsnewlooker.com jacknwoods.com |
IP Address : | 38.180.142.228 96.9.215.155 |
Hash : |
53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1
f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733
10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f
c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "samsnewlooker.com" or url like "samsnewlooker.com" or userdomainname like "academymusica.com" or url like "academymusica.com" or userdomainname like "jacknwoods.com" or url like "jacknwoods.com" |
IP Address : | dstipaddress IN ("38.180.142.228","96.9.215.155") or ipaddress IN ("38.180.142.228","96.9.215.155") or publicipaddress IN ("38.180.142.228","96.9.215.155") or srcipaddress IN ("38.180.142.228","96.9.215.155") |
Hash : |
sha256hash IN ("10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f","c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317","f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733","53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1") |
Reference:
https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats