Threat Research

TA2541: Threats to Aviation, Aerospace, & Travel | Proofpoint US

Securonix

Proofpoint details TA2541, a persistent cybercrime actor targeting aviation, aerospace, transportation, manufacturing, and defense sectors since 2017, primarily deploying remote access trojans (RATs) such as AsyncRAT. The group uses aviation- and travel-themed lures and hosts payloads on Google Drive, DiscordApp, and other delivery channels, with PowerShell-driven installation and VBS-based persistence. #TA2541 #AsyncRAT

Keypoints

  • TA2541 is a persistent cybercrime actor tracked since 2017, targeting aviation, aerospace, transportation, manufacturing, and defense sectors.
  • The actor consistently uses remote access trojans (RATs), with AsyncRAT as the current payload preference and other RATs (NetWire, WSH RAT, Parallax) observed.
  • The campaigns rely on aviation/travel-themed lures, and initially used macro-laden Word attachments but shifted to links hosted on cloud services like Google Drive (and OneDrive) and, later, DiscordApp.
  • Delivery and installation involve obfuscated VBS files delivered via Google Drive/Discord, with PowerShell downloading and executing payloads after probing for security software via WMI.
  • Persistence is achieved through startup folder VBS files, PowerShell scripts, and scheduled tasks or registry Run keys.
  • TA2541 operates a broad infrastructure with DDNS-based C2 and domain patterns (e.g., kimjoy, h0pe, grace), and has historically launched campaigns with hundreds to thousands of messages across regions.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – macro-laden Word attachments delivered the RAT payload. Quote: ‘macro-laden Microsoft Word attachments that downloaded the RAT payload.’
  • [T1059.001] PowerShell – Used to download and execute payload; ‘The threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products, and attempts to disable built-in security protections.’
  • [T1047] Windows Management Instrumentation – Used to query security products and disable protections. Quote: ‘queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.’
  • [T1082] System Information Discovery – Collected system information before downloading the RAT. Quote: ‘collect system information before downloading the RAT on the host.’
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated Visual Basic Script (VBS) file used. Quote: ‘obfuscated Visual Basic Script (VBS) file.’
  • [T1059.005] Visual Basic – Visual Basic Script used to establish persistence. Quote: ‘Typically, TA2541 will use Visual Basic Script (VBS) files to establish persistence with one of their favorite payloads, AsyncRAT. This is accomplished by adding the VBS file in the startup directory which points to a PowerShell script.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Startup directory persistence via VBS and PowerShell script. Quote: ‘adding the VBS file in the startup directory which points to a PowerShell script.’
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks. Quote: ‘schtasks.exe /Create /TN “UpdatesBQVIiVtepLtz” /XML C:Users[User]AppDataLocalTemptmp7CF8.tmp’
  • [T1105] Ingress Tool Transfer – Download of payload from remote text hosting. Quote: ‘PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub.’
  • [T1071.001] Web Protocols – C2 domains and staging URLs used for command and control. Quote: ‘TA2541 uses C2 domains and payload staging URLs containing the keywords “kimjoy,” “h0pe,” and “grace”.’

Indicators of Compromise

  • [C2 Domains] Context – joelthomas[.]linkpc[.]net, rick63[.]publicvm[.]com, and other C2 domains observed in 2021–2022
  • [VBS SHA256 Hashes] Context – 67250d5e5cb42df505b278e53ae346e7573ba60a06c3daac7ec05f853100e61c, ebd7809cacae62bc94dfb8077868f53d53beb0614766213d48f4385ed09c73a6
  • [File Names] Context – Aircrafts PN#_ALT PN#_Desc_&_Qty Details.vbs, charters details.pdf.vbs

Read more: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight