Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans (RATs) on compromised systems.
The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a “cybercriminal threat actor” codenamed TA2541 that employs “broad targeting with high volume messages.” It is not known what the ultimate goal of these intrusions are.
Social Engineering lures are not focused on specific topics but leverage decoy messages that relate to travel, logistics and aviation. That said, TA2541 did briefly pivot to COVID-19-themed lures in the spring of 2020, distributing emails concerning cargo shipments of personal protective equipment (PPE) or testing kits.
” While TA 2541 has some consistent behaviors such as sending emails to aviation companies in order to distribute remote access trojans via email, certain tactics like delivery method, attachments and URLs have changed. Sherrod deGrippo is vice president for threat research at Proofpoint.
While earlier campaigns used macro-laden Microsoft Word attachments in order to drop the payload of the RAT, the latest attacks use links to cloud hosting services. These phishing attacks have been reported to be affecting hundreds of organisations worldwide, with the most common targets being in North America, Europe and the Middle East.
The repeated use of the same themes aside, select infection chains have also involved the use of Discord app URLs that point to compressed files containing AgentTesla or Imminent Monitor malware, indicative of the malicious use of content delivery networks to distribute information gathering implants for remotely controlling compromised machines.
“Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant,” DeGrippo said.
Other techniques of interest employed by TA2541 include the use of Virtual Private Servers (VPS) for their email sending infrastructure and dynamic DNS for command-and-control (C2) activities.
With Microsoft announcing plans to turn off macros by default for internet-downloaded files starting April 2022, the move is expected to cause threat actors to step up and shift to other methods should macros become an inefficient method of delivery.
“While macro-laden Office documents are among the most frequently used techniques leading to download and execution of malicious payloads, abuse of legitimate hosting services is also already widespread,” DeGrippo explained.
“Further, we regularly observe actors ‘containerize’ payloads, using archive and image files (e.g., .ZIP, .ISO, etc.) This can also impact the ability to analyze and detect certain environments. As always, threat actors will pivot to use what is effective. “