Unidentified hackers targeting aviation and transportation sectors since 2017

Unknown TA2541 group attacking aviation and defense sectors since 2017

TA2541 is extensively using a variety of Remote Access Trojans (RAT) in spear-phishing attacks to lure their target.

Proofpoint researchers have published a report highlighting the presence of a little-known cybercrime group targeting aviation, defense, manufacturing, and transportation sectors with malware since 2017.

Interestingly, the group has evaded detection for so long despite using the same attack tactics. Proofpoint’s report is based on similar accounts from other cybersecurity and tech firms, including Mandiant, Cisco Talos, Morphisec, and Microsoft.

Details about TA2541

Proofpoint tracked the group, which its researchers codenamed TA2541. They claim that their attacks are unrefined, and they mostly rely on infecting/deploying commodity malware on the victims’ networks. Still, the group managed to stay low-key, and not much is known about it. Most of the group’s targets were located in North America, Europe, and the Middle East.

Attack Tactics

Researchers wrote that the group attacks follow the same pattern since they mainly send out thousands of spear-phishing emails per campaign (usually 10,000 emails per campaign), typically written in the English language, to trap their targets.

The emails vary in themes as the group has used requests for aircraft parts, urgent requests for air ambulance flight details, and even COVID-19-based themes to lure their targets so that they download files hosted on cloud storage platforms.

The group takes advantage of the fact that links to these services are never blocked within large-scale organizations. After the file is downloaded and executed, it installs a RAT that allows the malware operators to access the compromised device.

Unidentified hackers targeting aviation and transportation sectors since 2017
A phishing email luring an Italian target by requesting information on an ambulatory flight (Image: Proofpoint)

Recently, TA2541 has shifted its focus to Google Drive and Microsoft OneDrive links that redirect users to an obfuscated VBS (Visual Basic Script) file. Proofpoint’s Vice President of Threat Research and Detection, Sherrod DeGrippo, has declared it one of the most persistent cybercrime groups in recent years.

“What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans. This group is a persistent threat to targets throughout the transportation, logistics, and travel industries.”


TA2541 relies on RAT payloads

In a blog post, Selena Larson and Joe Wise of Proofpoint wrote that during the past few years, TA2541 had used an extensive array of RATs; but, mostly, they use RATs sold at underground cybercrime forums. The most commonly delivered malware in the group’s campaigns is AsyncRAT, but they have also extensively used WSH RAT, Parallax, and NetWire.

It is worth noting that last year, a report shared by Microsoft also revealed the use of the same RATs in malware attacks against aerospace and travel organizations.

As for the recent report, Proofpoint couldn’t determine the purpose and objectives of TA2541’s attacks. It is also unclear whether the group is involved in spying, data theft, and monetization and where it operates from. Nevertheless, researchers are certain that this group is a persistent threat to targets throughout the transportation, logistics, and travel industries.

More malware news on Hackread.com

  1. Gamers targeted in new malware attack with games cheat codes
  2. Hackers Setup Fake Cyber Security firm to Target InfoSec Experts
  3. Ransomware attack on Swissport aviation firm causes flight delays
  4. PasswordState password manager’s update hijacked to drop malware
  5. Hackers posed as aerobics instructors in malware attack on defense contractors

Related Posts