Select Page

Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans (RATs) on compromised systems.

The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a “cybercriminal threat actor” codenamed TA2541 that employs “broad targeting with high volume messages.” The ultimate objective of the intrusions is unknown as yet.

Social engineering lures used by the group does not rely on topical themes but rather leverages decoy messages related to aviation, logistics, transportation, and travel. That said, TA2541 did briefly pivot to COVID-19-themed lures in the spring of 2020, distributing emails concerning cargo shipments of personal protective equipment (PPE) or testing kits.

“While TA2541 is consistent in some behaviors, such as using emails masquerading as aviation companies to distribute remote access trojans, other tactics such as delivery method, attachments, URLs, infrastructure, and malware type have changed,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told The Hacker News.

images from Hacker News