TA2541

TA2541, a cybercriminal threat actor identified by Proofpoint, has been actively executing malicious actions since January 2017. This group demonstrates persistent and ongoing threat activity, targeting sectors related to aviation, transportation, and travel. Unlike many similar entities, TA2541 does not typically use current events, trending topics, or news items in its social engineering lures. Instead, it uses specific themes related to its target industries. The group frequently utilizes commodity malware, high volume messaging, and command and control infrastructure, indicating a broad and consistent approach to cybercrime. The group's technical tactics, techniques, and procedures (TTPs) include the use of Virtual Private Servers for email sending infrastructure and Dynamic DNS (DDNS) for command and control infrastructure. Notably, TA2541 regularly uses the same domain registrars, including Netdorm and No-IP DDNS, and hosting providers such as xTom GmbH and Danilenko, Artyom. A common pattern observed with TA2541 C2 domains and payload staging URLs includes the keywords “kimjoy,” “h0pe,” and “grace”. TA2541 has shown a varied approach to malware use over time, with AsyncRAT currently being the malware of choice. However, in 2020, Proofpoint observed TA2541 distributing over 10 different types of malware, all using the same initial infection chain. All the malware used by TA2541 serves information gathering purposes and facilitates remote control of an infected machine. It is likely that TA2541 will continue using AsyncRAT and vjw0rm in future campaigns, along with other commodity malware to support its objectives, posing a continuous and significant threat to its targeted sectors.