Researchers have revealed details of a threat actor that has targeted thousands of organizations globally with over a dozen different commodity malware payloads since at least 2017.
The threat group, which researchers with Proofpoint labeled TA2541, has targeted the aviation, aerospace, transportation, manufacturing and defense industries with remote access trojans (RAT) that have the capability to remotely control compromised machines. The threat group has recurring targets in North America, Europe and the Middle East.
The activity of TA2541 has previously been publicly reported by various security researchers since 2019. For instance, in September Cisco Talos analyzed a campaign targeting the aviation industry, which it linked to an actor that has been running malware campaigns for more than five years. Proofpoint researchers said this is the first time all of this comprehensive data is being shared under one threat activity cluster.
“Proofpoint assesses TA2541 is a cybercriminal threat actor due to its use of specific commodity malware, broad targeting with high volume messages, and command and control infrastructure,” said researchers with Proofpoint in a Tuesday analysis.
TA2541 does not use current events as its social engineering lures (with the exception of some emails using COVID-19 lures), instead relying on themes related to transportation, aviation and travel. One observed email for instance purported to be a request for information on aircraft parts, while another pretended to be a request for ambulatory flight information.
While at first the group sent emails with malicious Microsoft Word attachments, it has since pivoted to send messages with links to cloud services, like Google Drive URLs, which lead to an obfuscated Visual Basic Script (VBS) file hosting the payload. Researchers said that starting in late 2021, they also observed the group begin using DiscordApp URLs linking to a compressed file which led to either AgentTesla or the Imminent Monitor malware. Discord is an increasingly popular content delivery network (CDN) used by threat actors, said Sherrod DeGrippo, vice president of Threat Research and Detection at Proofpoint.
"Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant.”
“TA2541 appears to prefer Google Drive as a malware host, but Discord URLs are still used with less frequency,” said DeGrippo. “Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant.”
The threat actor then executes PowerShell into various Windows processes and queries Windows Management Instrumentation for firewall or antivirus software in an effort to disable any security protections. The payload then collects system information before downloading the RAT.
Currently, TA2541 appears to prefer AsyncRAT, which has previously been used to remotely monitor and control compromised machines through a secure, encrypted connection. The threat actor has previously used various types of commodity malware available for purchase on criminal forums or available via open-source repositories, including NetWire, WSH RAT, Parallax and Revenge RAT. While the malware used by TA2541 can be used for information gathering purposes and to gain remote control of an infected machine, researchers said they currently do not know what the threat actor’s ultimate goals and objectives are once it achieves initial compromise.
Researchers said it is likely the threat group will continue using AsyncRAT - as well as other commodity malware - in future campaigns targeting the transportation sector, which has lately been a popular target for cybercriminals like Chinese nation-state actor APT10 or Iran-linked ITG07.
“The threat activity isn’t really sophisticated, but the attack path is interesting in that there are multiple steps involved including collecting system information and identifying potential threat detection software before the payload is executed,” said DeGrippo. “It’s also interesting the threat actor uses consistent lure themes and language that would be relevant to aviation or transportation that people in other industries might not recognize, e.g. ‘pax’ for ‘passengers.’”