1. Home
  2. Groups
  3. TA2541

TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]

ID: G1018
Contributors: Pooja Natarajan, NEC Corporation India; Aaron Jornet
Version: 1.1
Created: 12 September 2023
Last Modified: 10 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

TA2541 has registered domains often containing the keywords "kimjoy," "h0pe," and "grace," using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.[1][2]
.006 Acquire Infrastructure: Web Services

TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA2541 has used PowerShell to download files and to inject into various Windows processes.[1]
.005 Command and Scripting Interpreter: Visual Basic

TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.[1][2]
Enterprise T1568 Dynamic Resolution

TA2541 has used dynamic DNS services for C2 infrastructure.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

TA2541 has attempted to disable built-in security protections such as Windows AMSI. [1]
Enterprise T1105 Ingress Tool Transfer

TA2541 has used malicious scripts and macros with the ability to download additional payloads.[2]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

TA2541 has used file names to mimic legitimate Windows files or system functionality.[1]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

TA2541 has used a .NET packer to obfuscate malicious files.[2]
.013 Obfuscated Files or Information: Encrypted/Encoded File

TA2541 has used compressed and char-encoded scripts in operations.[2]
Enterprise T1588 .001 Obtain Capabilities: Malware

TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.[1]
.002 Obtain Capabilities: Tool

TA2541 has used commodity remote access tools.[2]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.[1][2]
.002 Phishing: Spearphishing Link

TA2541 has used spearphishing e-mails with malicious links to deliver malware. [1][3]
Enterprise T1055 Process Injection

TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.[1][2]
.012 Process Hollowing

TA2541 has used process hollowing to execute CyberGate malware.[2]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

TA2541 has used scheduled tasks to establish persistence for installed tools.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.[1][2]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

TA2541 has used mshta to execute scripts including VBS.[2]
Enterprise T1082 System Information Discovery

TA2541 has collected system information prior to downloading malware on the targeted host.[1]
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

TA2541 has run scripts to check internet connectivity from compromised hosts. [2]
Enterprise T1204 .001 User Execution: Malicious Link

TA2541 has used malicious links to cloud and web services to gain execution on victim machines.[1][4]
.002 User Execution: Malicious File

TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.[1][2][3]
Enterprise T1047 Windows Management Instrumentation

TA2541 has used WMI to query targeted systems for security products.[1]

Software

ID Name References Techniques
S0331 Agent Tesla [1] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Application Layer Protocol: Mail Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Session Hijacking, Clipboard Data, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Deobfuscate/Decode Files or Information, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exploitation for Client Execution, Hide Artifacts: Hidden Window, Hide Artifacts: Hidden Files and Directories, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Regsvcs/Regasm, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Wi-Fi Discovery, System Owner/User Discovery, System Time Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Credentials in Registry, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion, Windows Management Instrumentation
S1087 AsyncRAT [1][5][2][3] Debugger Evasion, Dynamic Resolution, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Input Capture: Keylogging, Native API, Process Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture, Virtualization/Sandbox Evasion: System Checks
S0434 Imminent Monitor [1] Audio Capture, Command and Scripting Interpreter, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Input Capture: Keylogging, Native API, Obfuscated Files or Information, Process Discovery, Remote Services: Remote Desktop Protocol, Resource Hijacking, Video Capture
S0283 jRAT [1] Audio Capture, Boot or Logon Initialization Scripts: Startup Items, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: JavaScript, Credentials from Password Stores: Credentials from Web Browsers, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Peripheral Device Discovery, Process Discovery, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Transfer, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Video Capture, Windows Management Instrumentation
S0198 NETWIRE [1][4] Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Login Items, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Invalid Code Signature, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy, Scheduled Task/Job: Cron, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious File, User Execution: Malicious Link, Web Service
S0385 njRAT [1][2] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0379 Revenge RAT [1] Audio Capture, Boot or Logon Autostart Execution: Winlogon Helper DLL, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Indirect Command Execution, Ingress Tool Transfer, Input Capture: Keylogging, OS Credential Dumping, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication
S1086 Snip3 [1][5] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Drive-by Compromise, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Multi-Stage Channels, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Process Injection: Process Hollowing, System Information Discovery, User Execution: Malicious File, User Execution: Malicious Link, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion: System Checks, Web Service, Windows Management Instrumentation
S0670 WarzoneRAT [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Component Object Model Hijacking, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Proxy, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Rootkit, System Information Discovery, Template Injection, User Execution: Malicious File, Video Capture

References

  1. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  2. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  3. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  1. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  2. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.