Companies in the aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 in a series of spear phishing campaigns conducted to target a variety of remote access trojans (RATs). computer transfer systems.
The use of off-the-shelf malware such as AsyncRAT and NetWire, among others, has led corporate security firm Proofpoint to a “cybercriminal threat actor” codenamed TA2541 that employs “broad targeting with high-volume messages.” The ultimate destination of the invaders is still unknown.
The social engineering lures used by the group are not based on current issues, but rather use lure messages related to aviation, logistics, transportation and travel. However, in spring 2020, TA2541 briefly turned to COVID-19 topic baits and distributed emails about cargo shipments containing personal protective equipment (PPE) or test kits.
“While TA2541 is consistent in some behaviors, such as For example, using emails masquerading as airlines to proliferate remote access trojans, other tactics such as delivery method, attachments, URLs, infrastructure and malware type have changed,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, The Hacker News said.
While previous versions of the campaign used macro-laden Microsoft Word attachments to delete the RAT payload, more recent attacks include links to cloud services hosting the malware. The phishing attacks are said to have hit hundreds of organizations worldwide, with recurring targets observed in North America, Europe and the Middle East.
Aside from repeated use of the same themes, selected infection chains have also included use of Discord app URLs pointing to compressed files containing AgentTesla or Imminent Monitor malware, indicating malicious use of content delivery networks, to distribute implants for gathering information to remotely control compromised machines.
“Defending against threats hosted on legitimate services remains a elusive vector to defend, as it likely requires the implementation of a robust detection stack or policy-based blocking of services that may be business critical,” DeGrippo said.
Other interesting techniques employed by TA2541 include the use of Virtual Private Servers (VPS) for their email sending infrastructure and Dynamic DNS for Command and Control (C2) activities.
As Microsoft announces plans to disable macros by default for files downloaded from the web starting April 2022, this move is expected to prompt threat actors to step up and switch to other methods should macros become an inefficient delivery method.
“While macro-laden office documents are among the most common techniques that lead to the downloading and execution of malicious payloads, legitimate hosting services are also widely abused,” DeGrippo explained.
“In addition, we regularly observe how actors ‘containerize’ payloads using archive and image files (e.g. .ZIP, .ISO, etc.), which can also affect the ability to detect and analyze in some environments. As always, threat actors will shift to using what’s effective.”