Introduction
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel. Proofpoint TA2541 February 2022 Cisco Operation Layover September 2021
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1608.001 Upload Malware
- T1547.001 Registry Run Keys / Startup Folder
- T1573.002 Asymmetric Cryptography
- T1105 Ingress Tool Transfer
- T1568 Dynamic Resolution
- T1036.005 Match Legitimate Resource Name or Location
- T1518.001 Security Software Discovery
- T1053.005 Scheduled Task
- T1027.002 Software Packing
- T1082 System Information Discovery
- T1685 Disable or Modify Tools
- T1588.001 Malware
- T1218.005 Mshta
- T1588.002 Tool
- T1204.001 Malicious Link
- T1583.001 Domains
- T1055 Process Injection
- T1059.001 PowerShell
- T1027.013 Encrypted/Encoded File
- T1016.001 Internet Connection Discovery
- T1055.012 Process Hollowing
- T1047 Windows Management Instrumentation
- T1204.002 Malicious File
- T1059.005 Visual Basic
- T1566.002 Spearphishing Link
- T1027.015 Compression
- T1566.001 Spearphishing Attachment
- T1583.006 Web Services
ATT&CK technique IDs (denormalized)
- T1016.001
- T1027.002
- T1027.013
- T1027.015
- T1036.005
- T1047
- T1053.005
- T1055
- T1055.012
- T1059.001
- T1059.005
- T1082
- T1105
- T1204.001
- T1204.002
- T1218.005
- T1518.001
- T1547.001
- T1566.001
- T1566.002
- T1568
- T1573.002
- T1583.001
- T1583.006
- T1588.001
- T1588.002
- T1608.001
- T1685
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- SPACESHIP
- Trojan.Karagany
- RemoteCMD
- Trojan.Mebromi
- CyberGate
- Cyber Eye RAT
- Remote Utilities
- RemotePC
MITRE ATT&CK Software
- Snip3 (S1086) — malware
- Revenge RAT (S0379) — malware
- jRAT (S0283) — malware
- WarzoneRAT (S0670) — malware
- Imminent Monitor (S0434) — tool
- AsyncRAT (S1087) — tool
- NETWIRE (S0198) — malware
- Agent Tesla (S0331) — malware
- njRAT (S0385) — malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [2] Proofpoint TA2541 February 2022 Larson, S. and Wise, J. (2022, February 15). Charting TA2541’s Flight. Retrieved September 12, 2023. [3] Cisco Operation Layover September 2021 Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.