Experts Warn of Hacking Group Targeting Aviation and Defense Sectors

Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans (RATs) on compromised systems.

The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a “cybercriminal threat actor” codenamed TA2541 that employs “broad targeting with high volume messages.” The ultimate objective of the intrusions is unknown as yet.

Social engineering lures used by the group does not rely on topical themes but rather leverages decoy messages related to aviation, logistics, transportation, and travel. That said, TA2541 did briefly pivot to COVID-19-themed lures in the spring of 2020, distributing emails concerning cargo shipments of personal protective equipment (PPE) or testing kits.

“While TA2541 is consistent in some behaviors, such as using emails masquerading as aviation companies to distribute remote access trojans, other tactics such as delivery method, attachments, URLs, infrastructure, and malware type have changed,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told The Hacker News.

While earlier versions of the campaign utilized macro-laden Microsoft Word attachments to drop the RAT payload, recent attacks include links to cloud services hosting the malware. The phishing attacks are said to strike hundreds of organizations globally, with recurring targets observed in North America, Europe, and the Middle East.

The repeated use of the same themes aside, select infection chains have also involved the use of Discord app URLs that point to compressed files containing AgentTesla or Imminent Monitor malware, indicative of the malicious use of content delivery networks to distribute information gathering implants for remotely controlling compromised machines.

“Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant,”…