A threat group Proofpoint researchers call "TA2541" has used emails surrounding the pandemic to lure victims in critical industries. Pictured: Lorries heading to Europe park in a service station as they wait for travel restrictions to be lifted on Dec. 21, 2020, in Dover, England. (Photo by Dan Kitwood/Getty Images)

Researchers on Tuesday reported that they have tracked a persistent cybercrime threat actor that has used remote access trojans (RATs) to take over and compromise machines in the aviation, aerospace, transportation, manufacturing, and defense industries for several years.

In a blog post, Proofpoint researchers said while public reporting detailing similar threat activities exists since at least 2019, this is the first time Proofpoint has shared comprehensive details linking public and private data under one threat activity cluster it now calls TA2541.   

Proofpoint has tracked this threat actor since 2017, and it has used consistent tactics, techniques, and procedures (TTPs) in that time. Entities in the targeted sectors should be aware of the actor's TTPs and use the information provided for hunting and detection.  

TA2541’s TTPs highlight how threat actors are not monolithic when it comes to spear phishing campaigns, said Austin Merritt, cyber threat intelligence analyst at Digital Shadows. Merritt said while the threat group initially adopted a common phishing lure by sending emails themed around the pandemic, it appears the group pivoted to messages that were aligned with the cargo and transportation industries, instead of current events. 

“It's likely that TA2541’s ramping up its volume and frequency of phishing attacks against the transportation and cargo industry is intentional, given that organizations in these industries have been under increasing pressure from supply chain issues, labor shortages and other factors related to the pandemic,” Merritt said.

Merritt said the messaging in TA2541's phishing campaigns is not only intended to elicit a response from unsuspecting victims, but it primarily strives to have victims click on macro-laden Word, Excel, and PDF documents that can deploy malware onto their systems. In more recent campaigns, Merritt said TA2541 has used Google Drive and OneDrive links to host malicious Visual Basic Script (VBS) files.

“It's realistically possible that cybercriminals will resort to such links in future campaigns instead of Microsoft Office documents, especially given Microsoft's recent decision to block Office VBA macros by default,” added Merritt.

Mike Parkin, engineer at Vulcan Cyber, said the news of a threat actor targeting a specific vertical, in this case transportation with a tighter focus on aerospace, is not a major surprise.

“Like commercial entities that target specific verticals for their applications, threat actors can specialize in certain victims,” Parkin said. “While the report didn’t mention motive, the nature of the targets and the use of commodity malware should give investigators a hint as to what this group is after.”