Researchers Warn that TA2541 Hacker Group Targeting Aerospace and Transportation Sectors

The cybersecurity analysts at Proofpoint security firm have recently warned about TA2541 hacker Group, which is actively targeting several volatile sectors through malicious email campaigns. 

Here are the sectors that are targeted by the operators of the TA2541 hacker group:-

  • Aviation sector
  • Aerospace sector
  • Transportation sector
  • Defense sector
  • Manufacturing sector

TA254’s Campaign

The TA2541 hacker group is an advanced persistent threat (APT) group that has performed several cyber espionage and spyware attacks against the above industries since 2017 with high-volume malicious email campaigns. 

It’s been observed that the operators of this APT group are actively using the aviation, transportation, and travel-related themes to compromise their targets with several types of RATs.

The operators of the TA254 APT group mainly rely on the ongoing events in which they apply advanced and consistent TTPs to send malicious emails with macro-enabled Word attachments through which they deploy their payloads on the system of their victim.

Payload Delivery

However, recently cybersecurity researchers have discovered that the TA2541 APT uses the links to payloads that are hosted on several popular cloud services.

Here are the cloud services used by this APT group to deliver their payloads:-

  • Google Drive
  • OneDrive
  • GitHub
  • Pastetext
  • Sharetext

Here’s what the Proofpoint researchers have stated:-

“If executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub. The threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.”

Apart from this, since 2017, the operators of TA2541 have used several other commodity malware families, but, currently, they mainly use the AsyncRAT malware.

While apart from AsyncRAT, they have also used several other malware families like:-

  • NetWire
  • Parallax
  • WSH RAT
  • Revenge RAT
  • vjw0rm
  • Luminosity Link
  • njRAT

Moreover, it’s been observed that the TA2541 group using DiscordApp URLs in late 2021, and as an attack vector, all these URLs link to the compressed files like:-

  • AgentTesla
  • Imminent Monitor

Not only that, even instead of cloud-based service links, the operators of the TA2541 group also use email attachments with embedded executables that contain URLs to CDNs with malware payload hosted.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.