Researchers have discovered a hacking organisation known as TA2541 that has remained undetected for years without changing its techniques. Since 2017, this enigmatic gang has been carrying out phishing and malware attacks.
Concerning TA2541 and its Initiatives
Since the beginning, hackers have used the same strategies, including remotely managing victim PCs, conducting reconnaissance, and stealing crucial data, according to Proofpoint researchers.
The assaults begin with phishing emails containing sensitive information about the individuals and firms targeted, with themes relating to the transportation, aviation, and aerospace industries.
The attackers employed COVID-19-themed lures in one case, but they weren’t very tailored.
Attackers sent them in massive numbers, implying a sense of urgency, in order to trick people into downloading malware. The messages were always written in English.
Using a Variety of RATs
To download a RAT payload, the TA2541 group initially sent emails with macro-laden Word files. However, it has lately begun to use URLs for OneDrive and Google Drive.
The URLs point to a VBS file that has been disguised. When PowerShell is run, it uploads RATs onto Windows systems.
Since the operations began, the organisation has disseminated dozens of different malware payloads, all of which were accessible for sale on dark web forums or in open-source repositories.
AsyncRAT was the most widely distributed RAT in TA2541 campaigns, followed by Parallax, NetWire, and WSH RAT, all of which were used to take remote control of devices and steal data.
Victims and Areas that have been Singled Out
Hundreds of organisations in Europe, the Middle East, and North America have been targeted by the organisation. The industries addressed were aviation, transportation, defence, manufacturing, and aerospace.
The TA2541 group remained concealed for over five years, demonstrating its advanced evasive abilities. The efforts are still going strong, sending phishing emails to people all over the world.