Hack group TA2541 was attacking the aviation and transport sectors for years

Hack group TA2541
Written by Emma Davis

Proofpoint specialists discovered a hack group, which was assigned the ID TA2541. The researchers believe that the attackers have been operating since 2017 from Nigeria, and their activity is focused on several industries, including aviation, defense and transportation in North America, Europe and the Middle East.

According to the researchers, the participants of TA2541 have very low qualifications, care little about the secrecy of their actions, and often use ready-made malware. The activity of the group has previously attracted the attention of other companies and fell into the reports of Cisco Talos, Mandiant, Microsoft, Morphisec and independent researchers.

TA2541 uses themes related to aviation, transportation, and travel. When Proofpoint first started tracking this actor, the group sent macro-laden Microsoft Word attachments that downloaded the RAT payload. The group pivoted, and now they more frequently send messages with links to cloud services such as Google Drive hosting the payload.Proofpoint experts say.

Typically, attackers rely on mass phishing emails, which are almost always written in English, to encourage victims to download malicious files (usually Microsoft Word documents) hosted in cloud storage, as hackers realize that such links are almost never blocked inside large companies. The mass character of such spam campaigns could vary from hundreds to several thousand letters.

There appears to be a wide distribution across recipients, indicating TA2541 does not target people with specific roles and functions.Proofpoint specialists.

After downloading and running such a file, malware is installed, namely a remote access trojan (RAT), which provides TA2541 participants with access to an infected computer.

Hack group TA2541

Proofpoint writes that over the years of its existence, the group has used a variety of RATs for these purposes, but almost always relied on the malware that can be purchased on hacker forums. The group’s favorites seem to be AsyncRAT, NetWire, WSH RAT, and Parallax, which are the most commonly used in attacks.

Hack group TA2541

All the malware used by TA2541 can be used to collect information, but the ultimate goal of the attackers is still unknown.

Let me remind you that we also wrote that Hackers Send Anti-Capitalist Spam to Receipt Printers, and also that Spammer bombarded the Babuk ransomware forum gay porn.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply