Proofpoint researchers have published a report highlighting the presence of a little-known cybercrime group targeting aviation, defense, manufacturing, and transportation sectors with malware since 2017.
Interestingly, the group has evaded detection for so long despite using the same attack tactics. Proofpoint’s report is based on similar accounts from other cybersecurity and tech firms, including Mandiant, Cisco Talos, Morphisec, and Microsoft.
Proofpoint tracked the group, which its researchers codenamed TA2541. They claim that their attacks are unrefined, and they mostly rely on infecting/deploying commodity malware on the victims’ networks. Still, the group managed to stay low-key, and not much is known about it. Most of the group’s targets were located in North America, Europe, and the Middle East.
Researchers wrote that the group attacks follow the same pattern since they mainly send out thousands of spear-phishing emails per campaign (usually 10,000 emails per campaign), typically written in the English language, to trap their targets.
The emails vary in themes as the group has used requests for aircraft parts, urgent requests for air ambulance flight details, and even COVID-19-based themes to lure their targets so that they download files hosted on cloud storage platforms.
The group takes advantage of the fact that links to these services are never blocked within large-scale organizations. After the file is downloaded and executed, it installs a RAT that allows the malware operators to access the compromised device.
Recently, TA2541 has shifted its focus to Google Drive and Microsoft OneDrive links that redirect users to an obfuscated VBS (Visual Basic Script) file. Proofpoint’s Vice President of Threat Research and Detection, Sherrod DeGrippo, has declared it one of the most persistent cybercrime groups in recent years.
“What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans. This group is a persistent threat to targets throughout the transportation, logistics, and travel industries.”
In a blog post, Selena Larson and Joe Wise of Proofpoint wrote that during the past few years, TA2541 had used an extensive array of RATs; but, mostly, they use RATs sold at underground cybercrime forums. The most commonly delivered malware in the group’s campaigns is AsyncRAT, but they have also extensively used WSH RAT, Parallax, and NetWire.
It is worth noting that last year, a report shared by Microsoft also revealed the use of the same RATs in malware attacks against aerospace and travel organizations.
As for the recent report, Proofpoint couldn’t determine the purpose and objectives of TA2541’s attacks. It is also unclear whether the group is involved in spying, data theft, and monetization and where it operates from. Nevertheless, researchers are certain that this group is a persistent threat to targets throughout the transportation, logistics, and travel industries.
Your email address will not be published.
Super secure VPN
Minimal data logging
Visit IPVanish ‣
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.
Hackread.com is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.