Proofpoint’s team of researchers found TA2541. He is a cybercriminal who has been targeting the aviation, transportation, manufacturing, defense and aerospace industries for years. TA2541 uses remote access trojan (RAT) to get to remotely control compromised machines. According to Proofpoint’s findings, this threat actor has been active since 2017.
Proofpoint follows from time TA2541
TA2541 is a persistent cybercriminal who distributes remote access Trojans across various industries. Proofpoint has been following this actor for some time and has shown that TA2541 follows consistent TTP tactics, techniques and procedures over time. According to Proofpoint, the cybercriminal sent Microsoft Word attachments loaded with macros which downloaded the RAT payload.
Today, they are more frequent messages with links to cloud services such as Google Drive where the payload is hosted. In the past, during the spring of 2020, TA2541 also managed to exploit issues related to Covid-19 to carry out its attacks. The issues dealt with, even in that case, were consistent with the previous work, focusing on cargo flights and flight information.
Strike campaigns are usually conducted in English and have hit recurring targets in North America, Europe and the Middle East.
The cybercriminal’s activities also revealed by other teams
Note that other research teams (including Cisco Talos, Morphisec, Microsoft, Mandiant and independent researchers) have also published data on similar activities as of 2019. As confirmed by Proofpoint, these activities overlap with those of the monitored actor TA2541 .