Security News > 2022 > February > TA2541: APT Has Been Shooting RATs at Aviation for Years

TA2541: APT Has Been Shooting RATs at Aviation for Years
2022-02-15 14:02

Though a number of the group's attacks already have been tracked by various researchers - including Microsoft, Mandiant, Cisco Talos, Morphisec and others - since at least 2019, Proofpoint's latest research shares "Comprehensive details linking public and private data under one threat activity cluster we call TA2541," researchers wrote.

Previously reported attacks related to TA2541 include a two-year spyware campaign against the aviation industry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a cyberespionage campaign against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft last May, among others.

Currently, TA2541 prefers to drop AsyncRAT on victims' machines but also is known to use NetWire, WSH RAT and Parallax, researchers said.

A typical malicious message in a TA2541 campaign uses a lure related to some type of logistical or transportation theme related to one of the particular industries it's targeting, researchers said.

Researchers revealed an email that impersonated an aviation company requesting information on aircraft parts, as well as another that requested info on how to transport a medical patient on a stretcher on an ambulatory flight.

Google Drive has been a consistent tool of the threat group, but occasionally TA2541 also will use OneDrive to host the malicious VBS files, researchers said.


News URL

https://threatpost.com/ta2541-apt-rats-aviation/178422/