Skip to content

G1018 TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.12

Item Value
ID G1018
Associated Names
Version 1.1
Created 12 September 2023
Last Modified 10 April 2024
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains TA2541 has registered domains often containing the keywords “kimjoy,” “h0pe,” and “grace,” using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.12
enterprise T1583.006 Web Services TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA2541 has used PowerShell to download files and to inject into various Windows processes.1
enterprise T1059.005 Visual Basic TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.12
enterprise T1568 Dynamic Resolution TA2541 has used dynamic DNS services for C2 infrastructure.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools TA2541 has attempted to disable built-in security protections such as Windows AMSI. 1
enterprise T1105 Ingress Tool Transfer
TA2541 has used malicious scripts and macros with the ability to download additional payloads.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Resource Name or Location TA2541 has used file names to mimic legitimate Windows files or system functionality.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing TA2541 has used a .NET packer to obfuscate malicious files.2
enterprise T1027.013 Encrypted/Encoded File
TA2541 has used compressed and char-encoded scripts in operations.2
enterprise T1027.015 Compression TA2541 has used compressed and char-encoded scripts in operations.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.1
enterprise T1588.002 Tool
TA2541 has used commodity remote access tools.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.12
enterprise T1566.002 Spearphishing Link TA2541 has used spearphishing e-mails with malicious links to deliver malware. 14
enterprise T1055 Process Injection TA2541 has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.12
enterprise T1055.012 Process Hollowing TA2541 has used process hollowing to execute CyberGate malware.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task TA2541 has used scheduled tasks to establish persistence for installed tools.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta
TA2541 has used mshta to execute scripts including VBS.2
enterprise T1082 System Information Discovery TA2541 has collected system information prior to downloading malware on the targeted host.1
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery
TA2541 has run scripts to check internet connectivity from compromised hosts. 2
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link TA2541 has used malicious links to cloud and web services to gain execution on victim machines.13
enterprise T1204.002 Malicious File TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.124
enterprise T1047 Windows Management Instrumentation TA2541 has used WMI to query targeted systems for security products.1

Software

ID Name References Techniques
S0331 Agent Tesla 1 Local Account:Account Discovery Web Protocols:Application Layer Protocol Mail Protocols:Application Layer Protocol Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Session Hijacking Clipboard Data Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exploitation for Client Execution Hidden Window:Hide Artifacts Hidden Files and Directories:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Regsvcs/Regasm:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery Wi-Fi Discovery:System Network Configuration Discovery System Owner/User Discovery System Time Discovery Credentials In Files:Unsecured Credentials Credentials in Registry:Unsecured Credentials Malicious File:User Execution Video Capture Virtualization/Sandbox Evasion Windows Management Instrumentation
S1087 AsyncRAT 1524 Debugger Evasion Dynamic Resolution Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Native API Process Discovery Scheduled Task:Scheduled Task/Job Screen Capture System Owner/User Discovery Video Capture System Checks:Virtualization/Sandbox Evasion
S0434 Imminent Monitor 1 Audio Capture Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Deobfuscate/Decode Files or Information Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Keylogging:Input Capture Native API Obfuscated Files or Information Process Discovery Remote Desktop Protocol:Remote Services Compute Hijacking:Resource Hijacking Video Capture
S0283 jRAT 1 Audio Capture Startup Items:Boot or Logon Initialization Scripts Clipboard Data Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Software Packing:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Proxy Remote Desktop Protocol:Remote Services Scheduled Transfer Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Video Capture Windows Management Instrumentation
S0198 NETWIRE 13
Web Protocols:Application Layer Protocol Application Window Discovery Archive via Custom Method:Archive Collected Data Archive Collected Data Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution XDG Autostart Entries:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Resource Name or Location:Masquerading Invalid Code Signature:Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Cron:Scheduled Task/Job Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious File:User Execution Malicious Link:User Execution Web Service
S0385 njRAT 12 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Encrypted/Encoded File:Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0379 Revenge RAT 1 Audio Capture Winlogon Helper DLL:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Indirect Command Execution Ingress Tool Transfer Keylogging:Input Capture OS Credential Dumping Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture Bidirectional Communication:Web Service
S1086 Snip3 15 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Drive-by Compromise Hidden Window:Hide Artifacts Ingress Tool Transfer Multi-Stage Channels Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Hollowing:Process Injection System Information Discovery Malicious File:User Execution Malicious Link:User Execution Time Based Checks:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion Web Service Windows Management Instrumentation
S0670 WarzoneRAT 1 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery Hide Artifacts Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Spearphishing Attachment:Phishing Process Discovery Process Injection Proxy Remote Desktop Protocol:Remote Services VNC:Remote Services Rootkit System Information Discovery Template Injection Malicious File:User Execution Video Capture

References

  1. Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. 

  2. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. 

  3. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  4. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. 

  5. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.