TA2541 Hacker Group Spreads RATs in spear-phishing attacks
Table of contents:
On February 15, 2022, Proofpoint researchers warned about the TA2541 hacker group. A criminal cluster dubbed TA2541 has been active since 2017 (yet, managing to stay rather low-key) and is reported to consistently spread remote access trojans (RATs), enabling adversaries to obtain sensitive data from the breached networks and devices, or even get control of the compromised system. The above-mentioned report is in line with the data provided by several other IT and cybersecurity companies, such as Microsoft, Morphisec, Cisco Talos, and Mandiant.
Threat Activity Cluster TA2541
According to the current information, TA2541 is an advanced persistent threat (APT) organization that has been displaying consistency in employed tactics, techniques, and procedures over time. Operators of the TA2541 hacker group have been using profuse malicious email campaigns to carry out multiple espionage and spyware offenses aimed at the key industries for five years now, engaging in high-dollar crimes. The list of affected sectors includes but is not limited to aviation, transportation, defense, aerospace, and manufacturing.
This threat activity cluster managed to stay quite successfully under the radar over the years, so there is not much information available about their operations. However, enough cases can be traced back to this APT, with most of the group’s targets located in the USA, Europe, and the Middle East.
TA2541 Campaigns
TA2541 APT uses commodity malware to get hold of the victims’ networks and devices. Researchers report that the TA2541 prefers to bombard victims with phishing emails with macro-enabled Microsoft Word documents to deliver RAT payloads. In those high-volume phishing campaigns, hackers behind TA2541 entice email recipients with industry-specific topics. Those bait tactics are typically built around bogus transportation-related issues, urging victims to open the infected document, click a link, leading to payloads hosted on cloud services, most commonly Google Drive or OneDrive.
In the most recent campaigns, TA2541 used Visual Basic Script (VBS), available through a Google Drive URL, Proofpoint researchers said. The APT operators abuse PowerShell to run executables in an attempt to kill system protections. It was also detected that TA2541 collects system information before installing RATs.
TA2541 Cyber-Attacks Detection
To boost your defenses against attacks linked to TA2541 and detect possible compromises of your infrastructure, download a Sigma rule released by our keen Threat Bounty developer Osman Demir:
TA2541 Targeting Aviation, Aerospace, Transportation and Defense Industries (via process_creation)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, LimaCharlie, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, Microsoft Defender ATP, Apache Kafka ksqlDB, Carbon Black, AWS OpenSearch, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter as the main technique (T1059).
Join SOC Prime, the world’s first platform for collaborative cyber defense, threat hunting, and discovery that integrates with 20+ SIEM and XDR platforms. Hunt for the latest threats, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals to boost your security operations. Crafting your own content? Tap into the power of the world’s largest cyber defense community by joining the SOC Prime Threat Bounty program, and earn stable income by sharing your detection content.