Threat analysts at Proofpoint are today publishing details of a persistent cyber criminal actor that targets organisations in the aviation, aerospace, transport and defence industries with specifically tailored, transportation-themed phishes, such as quotes for parts or fuel, or requests for information on private charters, and avoids trending news topics and other more common lures.
Although the group has been active and tracked for about five years, enough data has now come to light for its various activities to be linked in a single threat activity cluster. Proofpoint has designated it TA2541, and other research units, such as Cisco Talos, have also been on its tail.
Proofpoint assessed the group as a financially motivated cyber criminal actor because it prefers commodity malware, broad targeting with high-volume messages, and command and control infrastructure.
“What is noteworthy about TA2541 is how little they’ve changed their approach to cyber crime over the past five years, repeatedly using the same themes, often related to aviation, aerospace and transportation to distribute remote access trojans,” said Sherrod DeGrippo, Proofpoint’s VP of threat research and detection. “This group is a persistent threat to targets throughout the transportation, logistics and travel industries.”
TA2541 targets its victims with remote access trojans (Rats) delivered initially through macro-laden Microsoft Word documents, although it has now pivoted to using malicious files hosted on cloud hosting services, with Google Drive particularly favoured.
Of late, it has also started using DiscordApp URLs, and Proofpoint has assessed that Discord is becoming increasingly popular as a content delivery network (CDN). It has also been known to send malicious files as email attachments, although this is rarer.
Typically, TA2451 will use a visual basic script (VBS) file to establish persistence with its payload. It seems especially fond of AsyncRAT malware, but it has used more than 17 commodity malwares in the past. Its most favoured strains including NetWire, WSH Rat and Parallax, but also the likes of Imminent Monitor and AgentTesla.
The group uses virtual private servers to send its emails and has often been seen using Dynamic DDS (DDNS) for command and control (C2) infrastructure. Proofpoint said it had found multiple repeating patterns in the C2 infrastructure and message artefacts, including the use of three key terms, “kimjoy”, “h0pe” and “grace”, in its domains and payload staging URLs. It has also been known to favour the same domain registrars, making use of the likes of Netdorm and No-IP DDNS, and hosting providers such as xTom and Danilenko Artyom.
Analysis of its various campaigns appears to show that TA2451 uses a rather untargeted approach to acquiring its victims, blasting several thousand email messages to dozens of organisations in one go. Nor does it go after people with specific roles or functions, such as finance or human resources. Many thousands of organisations are thought to have been targeted over the years.
“TA2451 remains a consistent, active threat, especially to entities in its most frequently targeted sectors,” wrote Proofpoint’s analysts. “Proofpoint assesses with high confidence that this threat actor will continue using the same TTPs observed in historic activity with minimal change to its lure themes, delivery and installation.”