Proofpoint, has tracked the TA2541 threat – a persistent cybercriminal actor that distributes various remote access trojans targeting the aviation, aerospace, transportation, and defense industries, among others. Proofpoint has tracked this threat actor since 2017, and it has used consistent tactics, techniques, and procedures (TTPs) in that time. Entities in the targeted sectors should be aware of the actor’s TTPs and use the information provided for hunting and detection.
Unlike many cybercrime threat actors distributing commodity malware, TA2541 does not typically use current events, trending topics, or news items in its social engineering lures. In nearly all observed campaigns, TA2541 uses lure themes that include transportation related terms such as flight, aircraft, fuel, yacht or charter.
When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload. Proofpoint assesses TA2541 is a cybercriminal threat actor due to its use of specific commodity malware, broad targeting with high volume messages, and command and control infrastructure.
Although TA2541 has been targeting thousands of organizations, multiple entities across aviation, aerospace, transportation, manufacturing, and defense industries appear regularly as targets of its campaigns. There appears to be a wide distribution across recipients, indicating TA2541 does not target people with specific roles and functions.
TA2541’s malware campaigns include hundreds to thousands of messages, although it is rare to see TA2541 send more than 10,000 messages at one time. Campaigns impact hundreds of organizations globally, with recurring targets in North America, Europe, and the Middle East. Messages are nearly always in English.
The threat actor consistently uses remote access Trojans that can be used to remotely control compromised machines
In the spring of 2020, TA2541 briefly pivoted to adopting COVID-related lure themes consistent with their overall theme of cargo and flight details. For example, they distributed lures associated with cargo shipments of personal protective equipment (PPE) or COVID-19 testing kits.
In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual Basic Script (VBS) file.
Proofpoint has observed TA2541 using over a dozen different malware payloads since 2017. The threat actor uses commodity malware available for purchase on criminal forums or available in open-source repositories. Currently, TA2541 prefers AsyncRAT, but other popular RATs include NetWire, WSH RAT and Parallax.
TA2541 remains a consistent, active cybercrime threat, especially to entities in its most frequently targeted sectors. Proofpoint assesses with high confidence this threat actor will continue using the same TTPs observed in historic activity with minimal change to its lure themes, delivery, and installation. It is likely TA2541 will continue using AsyncRAT and vjw0rm in future campaigns and will likely use other commodity malware to support its objectives.
Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, said: “What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans. This group is a persistent threat to targets throughout the transportation, logistics, and travel industries.”