Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

TA2541

TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)

ID: G1018

Associated Groups:

Created: 12 Sep 2023

Last Modified: 10 Apr 2024

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1583	.001	Acquire Infrastructure: Domains	TA2541 has registered domains often containing the keywords “kimjoy,” “h0pe,” and “grace,” using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
		.006	Acquire Infrastructure: Web Services	TA2541 has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	TA2541 has used PowerShell to download files and to inject into various Windows processes.(Citation: Proofpoint TA2541 February 2022)
		.005	Command and Scripting Interpreter: Visual Basic	TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	TA2541 has used TLS encrypted C2 communications including for campaigns using AsyncRAT.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	TA2541 has attempted to disable built-in security protections such as Windows AMSI. (Citation: Proofpoint TA2541 February 2022)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	TA2541 has used file names to mimic legitimate Windows files or system functionality.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	TA2541 has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021)
		.013	Obfuscated Files or Information: Encrypted/Encoded File	TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1588	.001	Obtain Capabilities: Malware	TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.(Citation: Proofpoint TA2541 February 2022)
		.002	Obtain Capabilities: Tool	TA2541 has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	TA2541 has sent phishing emails with malicious attachments for initial access including MS Word documents.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
		.002	Phishing: Spearphishing Link	TA2541 has used spearphishing e-mails with malicious links to deliver malware. (Citation: Proofpoint TA2541 February 2022)(Citation: Telefonica Snip3 December 2021)
Enterprise	T1055	.012	Process Injection: Process Hollowing	TA2541 has used process hollowing to execute CyberGate malware.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	TA2541 has used scheduled tasks to establish persistence for installed tools.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	TA2541 has used tools to search victim systems for security products such as antivirus and firewall software.(Citation: Proofpoint TA2541 February 2022)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	TA2541 has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	TA2541 has used `mshta` to execute scripts including VBS.(Citation: Cisco Operation Layover September 2021)
Enterprise	T1016	.001	System Network Configuration Discovery: Internet Connection Discovery	TA2541 has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Layover September 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	TA2541 has used malicious links to cloud and web services to gain execution on victim machines.(Citation: Proofpoint TA2541 February 2022)(Citation: FireEye NETWIRE March 2019)
		.002	User Execution: Malicious File	TA2541 has used macro-enabled MS Word documents to lure victims into executing malicious payloads.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)

ID	Name	References	Techniques
Software
S0198	NETWIRE	(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: FireEye NETWIRE March 2019) (Citation: McAfee Netwire Mar 2015) (Citation: Proofpoint TA2541 February 2022)	Proxy, Registry Run Keys / Startup Folder, Software Packing, Symmetric Cryptography, Archive via Custom Method, Malicious File, Malicious Link, Automated Collection, XDG Autostart Entries, Visual Basic, Obfuscated Files or Information, PowerShell, Process Injection, Cron, Fileless Storage, File and Directory Discovery, Process Discovery, Unix Shell, System Network Connections Discovery, Archive Collected Data, Credentials from Web Browsers, Spearphishing Link, Plist Modification, Credentials from Password Stores, Match Legitimate Name or Location, Web Service, Hidden Files and Directories, Application Window Discovery, Windows Command Shell, Invalid Code Signature, Keylogging, Native API, Scheduled Task, Screen Capture, Login Items, System Network Configuration Discovery, Web Protocols, Process Hollowing, Modify Registry, System Information Discovery, Spearphishing Attachment, Local Data Staging, Non-Application Layer Protocol, Encrypted Channel, Launch Agent, Ingress Tool Transfer
S1086	Snip3	(Citation: Morphisec Snip3 May 2021) (Citation: Proofpoint TA2541 February 2022) (Citation: Telefonica Snip3 December 2021)	Deobfuscate/Decode Files or Information, Web Service, Visual Basic, Process Hollowing, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Malicious File, System Information Discovery, Malicious Link, Spearphishing Attachment, Time Based Evasion, Windows Management Instrumentation, Multi-Stage Channels, Ingress Tool Transfer, Spearphishing Link, Drive-by Compromise, System Checks, Hidden Window, Binary Padding, PowerShell
S1087	AsyncRAT	(Citation: Cisco Operation Layover September 2021) (Citation: Morphisec Snip3 May 2021) (Citation: Proofpoint TA2541 February 2022) (Citation: Telefonica Snip3 December 2021)	Debugger Evasion, Native API, System Information Discovery, System Owner/User Discovery, Dynamic Resolution, Hidden Window, System Checks, Video Capture, Ingress Tool Transfer, Process Discovery, Screen Capture, Keylogging, Scheduled Task
S0434	Imminent Monitor	(Citation: Imminent Unit42 Dec2019) (Citation: Proofpoint TA2541 February 2022)	Native API, Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Keylogging, File Deletion, Remote Desktop Protocol, Process Discovery, Command and Scripting Interpreter, Video Capture, Hidden Files and Directories, Compute Hijacking, Exfiltration Over C2 Channel, Audio Capture, Obfuscated Files or Information, File and Directory Discovery, Disable or Modify Tools
S0379	Revenge RAT	(Citation: Cofense RevengeRAT Feb 2019) (Citation: Cylance Shaheen Nov 2018) (Citation: Proofpoint TA2541 February 2022)	System Owner/User Discovery, Keylogging, Ingress Tool Transfer, OS Credential Dumping, Video Capture, Remote Desktop Protocol, System Information Discovery, Standard Encoding, Uncommonly Used Port, Bidirectional Communication, System Network Configuration Discovery, Mshta, Winlogon Helper DLL, Audio Capture, Windows Command Shell, PowerShell, Indirect Command Execution, Screen Capture, Scheduled Task
S0385	njRAT	(Citation: Bladabindi) (Citation: Cisco Operation Layover September 2021) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Proofpoint TA2541 February 2022) (Citation: Trend Micro njRAT 2018)	System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Encrypted/Encoded File, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System
S0331	Agent Tesla	(Citation: Bitdefender Agent Tesla April 2020) (Citation: DigiTrust Agent Tesla Jan 2017) (Citation: Fortinet Agent Tesla April 2018) (Citation: Malwarebytes Agent Tesla April 2020) (Citation: Proofpoint TA2541 February 2022) (Citation: Talos Agent Tesla Oct 2018)	Process Injection, Virtualization/Sandbox Evasion, Clipboard Data, Spearphishing Attachment, Screen Capture, Local Account, Registry Run Keys / Startup Folder, Credentials In Files, Windows Management Instrumentation, Malicious File, Exploitation for Client Execution, System Network Configuration Discovery, Regsvcs/Regasm, System Time Discovery, System Owner/User Discovery, Ingress Tool Transfer, Process Discovery, Credentials from Web Browsers, Video Capture, Obfuscated Files or Information, Browser Session Hijacking, Web Protocols, Exfiltration Over Unencrypted Non-C2 Protocol, Hidden Window, Keylogging, Scheduled Task, Hidden Files and Directories, Deobfuscate/Decode Files or Information, Credentials from Password Stores, System Information Discovery, Disable or Modify Tools, Archive Collected Data, Mail Protocols, Modify Registry, Uncommonly Used Port, Process Hollowing, Credentials in Registry, Wi-Fi Discovery
S0283	jRAT	(Citation: Adwind) (Citation: AlienSpy) (Citation: Frutas) (Citation: jBiFrost) (Citation: jFrutas) (Citation: jRAT Symantec Aug 2018) (Citation: JSocket) (Citation: Kaspersky Adwind Feb 2016) (Citation: NCSC Joint Report Public Tools) (Citation: Proofpoint TA2541 February 2022) (Citation: Sockrat) (Citation: Trojan.Maljava) (Citation: Unrecom)	Keylogging, Peripheral Device Discovery, Scheduled Transfer, Windows Management Instrumentation, Visual Basic, Video Capture, Windows Command Shell, System Service Discovery, File Deletion, System Information Discovery, Startup Items, Ingress Tool Transfer, Process Discovery, File and Directory Discovery, Remote Desktop Protocol, Credentials from Web Browsers, Software Packing, Security Software Discovery, Proxy, JavaScript, Clipboard Data, Credentials In Files, Audio Capture, Screen Capture, System Network Connections Discovery, Obfuscated Files or Information, System Network Configuration Discovery, Private Keys
S0670	WarzoneRAT	(Citation: Ave Maria) (Citation: Check Point Warzone Feb 2020) (Citation: Proofpoint TA2541 February 2022) (Citation: Uptycs Warzone UAC Bypass November 2020)	Process Discovery, Keylogging, Registry Run Keys / Startup Folder, Malicious File, Exfiltration Over C2 Channel, Credentials from Web Browsers, Bypass User Account Control, Data from Local System, Ingress Tool Transfer, System Information Discovery, Proxy, Symmetric Cryptography, Remote Desktop Protocol, Modify Registry, Disable or Modify Tools, Component Object Model Hijacking, Hide Artifacts, Spearphishing Attachment, Deobfuscate/Decode Files or Information, PowerShell, Native API, Video Capture, Hidden Window, Process Injection, Windows Command Shell, VNC, Template Injection, Non-Application Layer Protocol, File and Directory Discovery, Rootkit

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

TA2541

Associated Group Descriptions

Techniques Used

Software

References