TA2541 attackers target surface transportation, manufacturing, defense enterprises

Researchers from security firm Proofpoint have kept an eye on a persistent cybercrime hacker group targeting aviation, aerospace, transportation, manufacturing, and defense industries since 2017. Tracked as ‘TA2541’ and using over a dozen different malware payloads, the hacker consistently uses remote access trojans (RATs) that can be used to remotely control compromised machines. 

“When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload,” Selena Larson and Joe Wise, Proofpoint researchers wrote in a company blog post on Tuesday. “The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload,” they added. 

Proofpoint assesses that TA2541 is a cybercriminal group due to its use of specific commodity malware, broad targeting with high volume messages, and command and control infrastructure. “All the malware used by TA2541 can be used for information gathering purposes and to gain remote control of an infected machine, At this time, Proofpoint does not know what the threat actor’s ultimate goals and objectives are once it achieves initial compromise,” they pointed out. 

While public reporting provides details of similar threat activities having existed since at least 2019, “this is the first time Proofpoint is sharing comprehensive details linking public and private data under one threat activity cluster we call TA2541,” according to the researchers. “The threat actor uses commodity malware available for purchase on criminal forums or available in open-source repositories. Currently, TA2541 prefers AsyncRAT, but other popular RATs include NetWire, WSH RAT and Parallax,” they added.

While AsyncRAT is the current malware of choice, TA2541 has varied its malware use each year since 2017. “The threat actor will typically use just one or a handful of RATs in observed campaigns, however in 2020, Proofpoint observed TA2541 distributing over 10 different types of malware, all using the same initial infection chain,” the researchers added.  

Often, campaigns contained several hundred to several thousand email messages to dozens of different organizations, the company said. “Although Proofpoint has observed TA2541 targeting thousands of organizations, multiple entities across aviation, aerospace, transportation, manufacturing, and defense industries appear regularly as targets of its campaigns. There appears to be a wide distribution across recipients, indicating TA2541 does not target people with specific roles and functions,” it added.     

Unlike many cybercrime threat attackers distributing commodity malware, TA2541 does not typically use current events, trending topics, or news items in its social engineering lures, Proofpoint said. “In nearly all observed campaigns, TA2541 uses lure themes that include transportation-related terms such as flight, aircraft, fuel, yacht, charter, etc.,” it added.  

Typically, the malware campaigns include hundreds to thousands of messages, although it is rare to see TA2541 send more than 10,000 messages at one time. “Campaigns impact hundreds of organizations globally, with recurring targets in North America, Europe, and the Middle East. Messages are nearly always in English,” according to the researchers. 

In the spring of 2020, TA2541 briefly pivoted to adopting COVID-related lure themes consistent with their overall theme of cargo and flight details, Proofpoint observed. The adoption of COVID-19 themes was brief, and the hacker quickly returned to generic cargo, flight, charter, etc. themed lures, the researchers added.   

Multiple researchers have published data on similar activities since 2019 including Cisco Talos, Morphisec, Microsoft, Mandiant, and independent researchers. Proofpoint “can confirm the activities in these reports overlap with the threat actor tracked as TA2541.”

The Proofpoint researchers concluded that the TA2541 remains a consistent, active cybercrime threat, especially to entities in its most frequently targeted sectors. “Proofpoint assesses with high confidence this threat actor will continue using the same TTPs observed in historic activity with minimal change to its lure themes, delivery, and installation. It is likely TA2541 will continue using AsyncRAT and vjw0rm in future campaigns and will likely use other commodity malware to support its objectives,” it added. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.