Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

ID: G1018

Associated Groups:

Version: 1.1

Created: 12 Sep 2023

Last Modified: 10 Apr 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	TA2541 has registered domains often containing the keywords “kimjoy,” “h0pe,” and “grace,” using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
		.006	Acquire Infrastructure: Web Services	TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	TA2541 has used PowerShell to download files and to inject into various Windows processes.(Citation: Proofpoint TA2541 February 2022)
		.005	Command and Scripting Interpreter: Visual Basic	TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	TA2541 has attempted to disable built-in security protections such as Windows AMSI. (Citation: Proofpoint TA2541 February 2022)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	TA2541 has used file names to mimic legitimate Windows files or system functionality.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	TA2541 has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021)
		.013	Obfuscated Files or Information: Encrypted/Encoded File	TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)
		.015	Obfuscated Files or Information: Compression	TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1588	.001	Obtain Capabilities: Malware	TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.(Citation: Proofpoint TA2541 February 2022)
		.002	Obtain Capabilities: Tool	TA2541 has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
		.002	Phishing: Spearphishing Link	TA2541 has used spearphishing e-mails with malicious links to deliver malware. (Citation: Proofpoint TA2541 February 2022)(Citation: Telefonica Snip3 December 2021)
Enterprise	T1055	.012	Process Injection: Process Hollowing	TA2541 has used process hollowing to execute CyberGate malware.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	TA2541 has used scheduled tasks to establish persistence for installed tools.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	TA2541 has used `mshta` to execute scripts including VBS.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1016	.001	System Network Configuration Discovery: Internet Connection Discovery	TA2541 has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Layover September 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	TA2541 has used malicious links to cloud and web services to gain execution on victim machines.(Citation: Proofpoint TA2541 February 2022)(Citation: FireEye NETWIRE March 2019)
		.002	User Execution: Malicious File	TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)

ID	Name	References	Techniques
Software
S0198	NETWIRE	(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: FireEye NETWIRE March 2019) (Citation: McAfee Netwire Mar 2015) (Citation: Proofpoint TA2541 February 2022)	Scheduled Task, Screen Capture, Fileless Storage, Keylogging, Archive via Custom Method, Local Data Staging, Match Legitimate Resource Name or Location, Malicious File, Symmetric Cryptography, Cron, Spearphishing Link, Spearphishing Attachment, Automated Collection, System Information Discovery, Native API, Credentials from Password Stores, Process Injection, Application Window Discovery, Archive Collected Data, Modify Registry, Credentials from Web Browsers, Plist Modification, System Network Configuration Discovery, Proxy, File and Directory Discovery, System Network Connections Discovery, Web Service, Login Items, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Unix Shell, Process Hollowing, Obfuscated Files or Information, Invalid Code Signature, Encrypted Channel, Non-Application Layer Protocol, Launch Agent, Windows Command Shell, Software Packing, Web Protocols, Visual Basic, XDG Autostart Entries, Ingress Tool Transfer, Hidden Files and Directories, Malicious Link
S1086	Snip3	(Citation: Morphisec Snip3 May 2021) (Citation: Proofpoint TA2541 February 2022) (Citation: Telefonica Snip3 December 2021)	Windows Management Instrumentation, Malicious File, System Checks, Spearphishing Link, Spearphishing Attachment, System Information Discovery, Deobfuscate/Decode Files or Information, Time Based Evasion, Binary Padding, Web Service, Multi-Stage Channels, PowerShell, Registry Run Keys / Startup Folder, Process Hollowing, Obfuscated Files or Information, Hidden Window, Drive-by Compromise, Visual Basic, Ingress Tool Transfer, Malicious Link
S1087	AsyncRAT	(Citation: Cisco Operation Layover September 2021) (Citation: Morphisec Snip3 May 2021) (Citation: Proofpoint TA2541 February 2022) (Citation: Telefonica Snip3 December 2021)	Scheduled Task, Screen Capture, System Owner/User Discovery, Keylogging, System Checks, System Information Discovery, Native API, Video Capture, Dynamic Resolution, Process Discovery, Hidden Window, Debugger Evasion, Ingress Tool Transfer
S0434	Imminent Monitor	(Citation: Imminent Unit42 Dec2019) (Citation: Proofpoint TA2541 February 2022)	Keylogging, Audio Capture, Native API, Deobfuscate/Decode Files or Information, Credentials from Web Browsers, Video Capture, Command and Scripting Interpreter, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, Compute Hijacking, Disable or Modify Tools, Obfuscated Files or Information, File Deletion, Remote Desktop Protocol, Hidden Files and Directories
S0379	Revenge RAT	(Citation: Cofense RevengeRAT Feb 2019) (Citation: Cylance Shaheen Nov 2018) (Citation: Proofpoint TA2541 February 2022)	Scheduled Task, Screen Capture, System Owner/User Discovery, Standard Encoding, Keylogging, OS Credential Dumping, Audio Capture, System Information Discovery, Indirect Command Execution, Winlogon Helper DLL, Video Capture, System Network Configuration Discovery, Mshta, PowerShell, Bidirectional Communication, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Remote Desktop Protocol
S0385	njRAT	(Citation: Bladabindi) (Citation: Cisco Operation Layover September 2021) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Proofpoint TA2541 February 2022) (Citation: Trend Micro njRAT 2018)	Screen Capture, System Owner/User Discovery, Standard Encoding, Keylogging, Encrypted/Encoded File, Fast Flux DNS, Peripheral Device Discovery, System Information Discovery, Native API, Replication Through Removable Media, Data from Local System, Application Window Discovery, Disable or Modify System Firewall, Modify Registry, Credentials from Web Browsers, Video Capture, Indicator Removal, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Non-Standard Port, Query Registry, Compile After Delivery, Uncommonly Used Port, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Custom Command and Control Protocol
S0331	Agent Tesla	(Citation: Bitdefender Agent Tesla April 2020) (Citation: DigiTrust Agent Tesla Jan 2017) (Citation: Fortinet Agent Tesla April 2018) (Citation: Malwarebytes Agent Tesla April 2020) (Citation: Proofpoint TA2541 February 2022) (Citation: Talos Agent Tesla Oct 2018)	Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Malicious File, Local Account, Spearphishing Attachment, Clipboard Data, Credentials in Registry, System Information Discovery, Deobfuscate/Decode Files or Information, Credentials from Password Stores, Process Injection, Wi-Fi Discovery, Archive Collected Data, Browser Session Hijacking, Mail Protocols, Modify Registry, Credentials from Web Browsers, Video Capture, System Network Configuration Discovery, Virtualization/Sandbox Evasion, Credentials In Files, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Process Hollowing, Obfuscated Files or Information, Exploitation for Client Execution, Regsvcs/Regasm, Uncommonly Used Port, Hidden Window, Web Protocols, Ingress Tool Transfer, Hidden Files and Directories, System Time Discovery, Exfiltration Over Unencrypted Non-C2 Protocol
S0283	jRAT	(Citation: Adwind) (Citation: AlienSpy) (Citation: Frutas) (Citation: JSocket) (Citation: Kaspersky Adwind Feb 2016) (Citation: NCSC Joint Report Public Tools) (Citation: Proofpoint TA2541 February 2022) (Citation: Sockrat) (Citation: Trojan.Maljava) (Citation: Unrecom) (Citation: jBiFrost) (Citation: jFrutas) (Citation: jRAT Symantec Aug 2018)	Windows Management Instrumentation, Screen Capture, Keylogging, JavaScript, Audio Capture, Clipboard Data, System Service Discovery, Peripheral Device Discovery, System Information Discovery, Scheduled Transfer, Credentials from Web Browsers, Private Keys, Video Capture, System Network Configuration Discovery, Proxy, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Process Discovery, Obfuscated Files or Information, Startup Items, Security Software Discovery, Windows Command Shell, File Deletion, Software Packing, Visual Basic, Ingress Tool Transfer, Remote Desktop Protocol
S0670	WarzoneRAT	(Citation: Ave Maria) (Citation: Check Point Warzone Feb 2020) (Citation: Proofpoint TA2541 February 2022) (Citation: Uptycs Warzone UAC Bypass November 2020)	VNC, Keylogging, Rootkit, Bypass User Account Control, Hide Artifacts, Malicious File, Symmetric Cryptography, Spearphishing Attachment, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Credentials from Web Browsers, Video Capture, Proxy, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Disable or Modify Tools, Component Object Model Hijacking, Non-Application Layer Protocol, Hidden Window, Windows Command Shell, Template Injection, Ingress Tool Transfer, Remote Desktop Protocol

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

TA2541

Associated Group Descriptions

Techniques Used

Software

References