TA2541 | APT Profile

Description

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

Techniques Used (TTPs)

T1608.001 — Upload Malware (resource-development)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1105 — Ingress Tool Transfer (command-and-control)
T1568 — Dynamic Resolution (command-and-control)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1518.001 — Security Software Discovery (discovery)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1027.002 — Software Packing (defense-evasion)
T1082 — System Information Discovery (discovery)
T1588.001 — Malware (resource-development)
T1218.005 — Mshta (defense-evasion)
T1588.002 — Tool (resource-development)
T1204.001 — Malicious Link (execution)
T1583.001 — Domains (resource-development)
T1055 — Process Injection (defense-evasion, privilege-escalation)
T1059.001 — PowerShell (execution)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1016.001 — Internet Connection Discovery (discovery)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1047 — Windows Management Instrumentation (execution)
T1204.002 — Malicious File (execution)
T1059.005 — Visual Basic (execution)
T1566.002 — Spearphishing Link (initial-access)
T1027.015 — Compression (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1583.006 — Web Services (resource-development)

Total TTPs: 28

Malware & Tools

Malware: Agent Tesla, NETWIRE, Revenge RAT, Snip3, WarzoneRAT, jRAT, njRAT

Tools: AsyncRAT, Imminent Monitor

← Return to Home ← Back to APT Search