1. Home
  2. Groups
  3. TA2541

TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]

ID: G1018
Contributors: Pooja Natarajan, NEC Corporation India; Aaron Jornet
Version: 1.1
Created: 12 September 2023
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

TA2541 has used WMI to query targeted systems for security products.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

TA2541 has used file names to mimic legitimate Windows files or system functionality.[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.[2]
Enterprise T1568 动态解析

TA2541 has used dynamic DNS services for C2 infrastructure.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

TA2541 has used PowerShell to download files and to inject into various Windows processes.[1]
.005 命令与脚本解释器: Visual Basic

TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.[1][2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

TA2541 has attempted to disable built-in security protections such as Windows AMSI. [1]
Enterprise T1608 .001 暂存能力: Upload Malware

TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.[1][2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

TA2541 has used a .NET packer to obfuscate malicious files.[2]
.013 混淆文件或信息: Encrypted/Encoded File

TA2541 has used compressed and char-encoded scripts in operations.[2]
Enterprise T1204 .001 用户执行: Malicious Link

TA2541 has used malicious links to cloud and web services to gain execution on victim machines.[1][3]
.002 用户执行: Malicious File

TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.[1][2][4]
Enterprise T1218 .005 系统二进制代理执行: Mshta

TA2541 has used mshta to execute scripts including VBS.[2]
Enterprise T1082 系统信息发现

TA2541 has collected system information prior to downloading malware on the targeted host.[1]
Enterprise T1016 .001 系统网络配置发现: Internet Connection Discovery

TA2541 has run scripts to check internet connectivity from compromised hosts. [2]
Enterprise T1583 .001 获取基础设施: Domains

TA2541 has registered domains often containing the keywords "kimjoy," "h0pe," and "grace," using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.[1][2]
.006 获取基础设施: Web Services

TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.[1]
Enterprise T1588 .001 获取能力: Malware

TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.[1]
.002 获取能力: Tool

TA2541 has used commodity remote access tools.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.[1]
Enterprise T1105 输入工具传输

TA2541 has used malicious scripts and macros with the ability to download additional payloads.[2]
Enterprise T1055 进程注入

TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.[1][2]
.012 Process Hollowing

TA2541 has used process hollowing to execute CyberGate malware.[2]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.[1][2]
.002 钓鱼: Spearphishing Link

TA2541 has used spearphishing e-mails with malicious links to deliver malware. [1][4]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

TA2541 has used scheduled tasks to establish persistence for installed tools.[1]

Software

ID Name References Techniques
S0331 Agent Tesla [1] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 修改注册表, 剪贴板数据, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: Mail Protocols, 归档收集数据, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 未加密凭证: Credentials In Files, 未加密凭证: Credentials in Registry, 浏览器会话劫持, 混淆文件或信息, 用户执行: Malicious File, 系统二进制代理执行: Regsvcs/Regasm, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 系统网络配置发现: Wi-Fi Discovery, 虚拟化/沙盒规避, 视频捕获, 账号发现: Local Account, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task
S1087 AsyncRAT [1][5][2][4] 动态解析, 屏幕捕获, 本机API, 系统信息发现, 系统所有者/用户发现, 虚拟化/沙盒规避: System Checks, 视频捕获, 调试器规避, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0434 Imminent Monitor [1] 从密码存储中获取凭证: Credentials from Web Browsers, 反混淆/解码文件或信息, 命令与脚本解释器, 妨碍防御: Disable or Modify Tools, 文件和目录发现, 本机API, 混淆文件或信息, 移除指标: File Deletion, 视频捕获, 资源劫持: Compute Hijacking, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 通过C2信道渗出, 隐藏伪装: Hidden Files and Directories, 音频捕获
S0283 jRAT [1] Windows管理规范, 从密码存储中获取凭证: Credentials from Web Browsers, 代理, 剪贴板数据, 启动或登录初始化脚本: Startup Items, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: JavaScript, 外围设备发现, 屏幕捕获, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 混淆文件或信息: Software Packing, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 视频捕获, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 音频捕获, 预定传输
S0198 NETWIRE [1][3] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 代理, 伪装: Match Legitimate Name or Location, 伪装: Invalid Code Signature, 修改注册表, 创建或修改系统进程: Launch Agent, 加密通道: Symmetric Cryptography, 加密通道, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Login Items, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据: Archive via Custom Method, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Cron, 预定任务/作业: Scheduled Task
S0385 njRAT [1][2] 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0379 Revenge RAT [1] 启动或登录自动启动执行: Winlogon Helper DLL, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 操作系统凭证转储, 数据编码: Standard Encoding, 系统二进制代理执行: Mshta, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 间接命令执行, 音频捕获, 预定任务/作业: Scheduled Task
S1086 Snip3 [1][5] Windows管理规范, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 多阶段信道, 浏览器攻击, 混淆文件或信息, 混淆文件或信息: Binary Padding, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 网络服务, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避: System Checks, 输入工具传输, 进程注入: Process Hollowing, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 隐藏伪装: Hidden Window
S0670 WarzoneRAT [1] Rootkit, 事件触发执行: Component Object Model Hijacking, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 文件和目录发现, 本机API, 模板注入, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 系统信息发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: VNC, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 隐藏伪装, 隐藏伪装: Hidden Window, 非应用层协议

References

  1. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  2. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  3. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  1. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  2. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.