TA2541

Industry: Aerospace, Aviation, Defense, Manufacturing & Transportation | Level: Tactical | Source: ProofPoint

ProofPoint provides research for threat actor group TA2541 that has been observed since 2017 targeting "aviation, aerospace, transportation, and defense industries, among others." The group distributes malicious remote access trojans (RATs) through crafted phishing emails containing malicious links. Following the execution of the malicious link, a vbs file is downloaded invoking PowerShell to download a malicious executable that establishes persistence through process injection. Additional activities for system tampering to lower defenses and system information discovery is initiated prior to the download of the RAT. The threat actor group utilizes a large variety of commodity RATs such as AsyncRAT, NetWire, Parallax and others. The RAT will establish persistence in the startup directory as well as using schtasks. The threat actor's motives and objectives have yet to be identified.

• Anvilogic Scenario: Malicious Document Delivering Malware
• Anvilogic Use Cases:
• Wscript/Cscript Execution
• Powershell DLL/EXE Injection
• New AutoRun Registry Key