CINXE.COM
TA2541, Group G1018 | MITRE ATT&CK®
<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>TA2541, Group G1018 | MITRE ATT&CK®</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b> <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/groups/">Groups</a></li> <li class="breadcrumb-item">TA2541</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> TA2541 </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v16/groups/G1018">TA2541</a> is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. <a href="/versions/v16/groups/G1018">TA2541</a> campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">ID: </span>G1018 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Contributors</span>: Pooja Natarajan, NEC Corporation India; Aaron Jornet </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Version</span>: 1.1 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Created: </span>12 September 2023 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Last Modified: </span>10 April 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G1018" href="/versions/v16/groups/G1018/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G1018" href="/groups/G1018/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&CK<sup>®</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v16/groups/G1018/G1018-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G1018/G1018-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v16/techniques/T1583/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v16/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has registered domains often containing the keywords "kimjoy," "h0pe," and "grace," using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1583/006">.006</a> </td> <td> <a href="/versions/v16/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v16/techniques/T1583/006">Web Services</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v16/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v16/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used PowerShell to download files and to inject into various Windows processes.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1568">T1568</a> </td> <td> <a href="/versions/v16/techniques/T1568">Dynamic Resolution</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used dynamic DNS services for C2 infrastructure.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1573">T1573</a> </td> <td> <a href="/versions/v16/techniques/T1573/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/002">Asymmetric Cryptography</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used TLS encrypted C2 communications including for campaigns using AsyncRAT.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1562">T1562</a> </td> <td> <a href="/versions/v16/techniques/T1562/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has attempted to disable built-in security protections such as Windows AMSI. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used malicious scripts and macros with the ability to download additional payloads.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1036">T1036</a> </td> <td> <a href="/versions/v16/techniques/T1036/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used file names to mimic legitimate Windows files or system functionality.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v16/techniques/T1027/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used a .NET packer to obfuscate malicious files.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1027/013">.013</a> </td> <td> <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used compressed and char-encoded scripts in operations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v16/techniques/T1588/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v16/techniques/T1588/001">Malware</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1588/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v16/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used commodity remote access tools.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v16/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has sent phishing emails with malicious attachments for initial access including MS Word documents.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used spearphishing e-mails with malicious links to deliver malware. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><sup><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1055">T1055</a> </td> <td> <a href="/versions/v16/techniques/T1055">Process Injection</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has injected malicious code into legitimate .NET related processes including regsvcs.exe, msbuild.exe, and installutil.exe.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1055/012">.012</a> </td> <td> <a href="/versions/v16/techniques/T1055/012">Process Hollowing</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used process hollowing to execute CyberGate malware.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v16/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used scheduled tasks to establish persistence for installed tools.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1518">T1518</a> </td> <td> <a href="/versions/v16/techniques/T1518/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1518">Software Discovery</a>: <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used tools to search victim systems for security products such as antivirus and firewall software.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1608">T1608</a> </td> <td> <a href="/versions/v16/techniques/T1608/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1608">Stage Capabilities</a>: <a href="/versions/v16/techniques/T1608/001">Upload Malware</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1218">T1218</a> </td> <td> <a href="/versions/v16/techniques/T1218/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/005">Mshta</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used <code>mshta</code> to execute scripts including VBS.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1082">T1082</a> </td> <td> <a href="/versions/v16/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has collected system information prior to downloading malware on the targeted host.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1016">T1016</a> </td> <td> <a href="/versions/v16/techniques/T1016/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>: <a href="/versions/v16/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has run scripts to check internet connectivity from compromised hosts. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v16/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used malicious links to cloud and web services to gain execution on victim machines.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019"><sup><a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used macro-enabled MS Word documents to lure victims into executing malicious payloads.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><sup><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1047">T1047</a> </td> <td> <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used WMI to query targeted systems for security products.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/software/S0331">S0331</a> </td> <td> <a href="/versions/v16/software/S0331">Agent Tesla</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/003">Mail Protocols</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1185">Browser Session Hijacking</a>, <a href="/versions/v16/techniques/T1115">Clipboard Data</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/versions/v16/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="/versions/v16/techniques/T1203">Exploitation for Client Execution</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/012">Process Hollowing</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/009">Regsvcs/Regasm</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>: <a href="/versions/v16/techniques/T1016/002">Wi-Fi Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1124">System Time Discovery</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/002">Credentials in Registry</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a>, <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1087">S1087</a> </td> <td> <a href="/versions/v16/software/S1087">AsyncRAT</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023."data-reference="Morphisec Snip3 May 2021"><sup><a href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><sup><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1622">Debugger Evasion</a>, <a href="/versions/v16/techniques/T1568">Dynamic Resolution</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a>, <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v16/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0434">S0434</a> </td> <td> <a href="/versions/v16/software/S0434">Imminent Monitor</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1123">Audio Capture</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1496">Resource Hijacking</a>: <a href="/versions/v16/techniques/T1496/001">Compute Hijacking</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0283">S0283</a> </td> <td> <a href="/versions/v16/software/S0283">jRAT</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1123">Audio Capture</a>, <a href="/versions/v16/techniques/T1037">Boot or Logon Initialization Scripts</a>: <a href="/versions/v16/techniques/T1037/005">Startup Items</a>, <a href="/versions/v16/techniques/T1115">Clipboard Data</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/007">JavaScript</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1029">Scheduled Transfer</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1518">Software Discovery</a>: <a href="/versions/v16/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1007">System Service Discovery</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v16/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v16/techniques/T1552/004">Private Keys</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0198">S0198</a> </td> <td> <a href="/versions/v16/software/S0198">NETWIRE</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019"><sup><a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1010">Application Window Discovery</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v16/techniques/T1560/003">Archive via Custom Method</a>, <a href="/versions/v16/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v16/techniques/T1119">Automated Collection</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/013">XDG Autostart Entries</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/015">Login Items</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v16/techniques/T1543/001">Launch Agent</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v16/techniques/T1074">Data Staged</a>: <a href="/versions/v16/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v16/techniques/T1036">Masquerading</a>: <a href="/versions/v16/techniques/T1036/001">Invalid Code Signature</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/002">Software Packing</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/011">Fileless Storage</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/002">Spearphishing Link</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/012">Process Hollowing</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/003">Cron</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/001">Malicious Link</a>, <a href="/versions/v16/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0385">S0385</a> </td> <td> <a href="/versions/v16/software/S0385">njRAT</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><sup><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v16/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v16/techniques/T1010">Application Window Discovery</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1568">Dynamic Resolution</a>: <a href="/versions/v16/techniques/T1568/001">Fast Flux DNS</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/004">File Deletion</a>, <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/009">Clear Persistence</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1571">Non-Standard Port</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/004">Compile After Delivery</a>, <a href="/versions/v16/techniques/T1120">Peripheral Device Discovery</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1012">Query Registry</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v16/techniques/T1091">Replication Through Removable Media</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0379">S0379</a> </td> <td> <a href="/versions/v16/software/S0379">Revenge RAT</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1123">Audio Capture</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/004">Winlogon Helper DLL</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1132">Data Encoding</a>: <a href="/versions/v16/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v16/techniques/T1202">Indirect Command Execution</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1003">OS Credential Dumping</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v16/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v16/techniques/T1113">Screen Capture</a>, <a href="/versions/v16/techniques/T1218">System Binary Proxy Execution</a>: <a href="/versions/v16/techniques/T1218/005">Mshta</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v16/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a>, <a href="/versions/v16/techniques/T1102">Web Service</a>: <a href="/versions/v16/techniques/T1102/002">Bidirectional Communication</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1086">S1086</a> </td> <td> <a href="/versions/v16/software/S1086">Snip3</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023."data-reference="Morphisec Snip3 May 2021"><sup><a href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1189">Drive-by Compromise</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1104">Multi-Stage Channels</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v16/techniques/T1027/001">Binary Padding</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/002">Spearphishing Link</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>: <a href="/versions/v16/techniques/T1055/012">Process Hollowing</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/001">Malicious Link</a>, <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v16/techniques/T1497/003">Time Based Evasion</a>, <a href="/versions/v16/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v16/techniques/T1497/001">System Checks</a>, <a href="/versions/v16/techniques/T1102">Web Service</a>, <a href="/versions/v16/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0670">S0670</a> </td> <td> <a href="/versions/v16/software/S0670">WarzoneRAT</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </td> <td> <a href="/versions/v16/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v16/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v16/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v16/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/001">PowerShell</a>, <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v16/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v16/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v16/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v16/techniques/T1005">Data from Local System</a>, <a href="/versions/v16/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/versions/v16/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v16/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v16/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v16/techniques/T1546/015">Component Object Model Hijacking</a>, <a href="/versions/v16/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v16/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>, <a href="/versions/v16/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v16/techniques/T1564/003">Hidden Window</a>, <a href="/versions/v16/techniques/T1562">Impair Defenses</a>: <a href="/versions/v16/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v16/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v16/techniques/T1056">Input Capture</a>: <a href="/versions/v16/techniques/T1056/001">Keylogging</a>, <a href="/versions/v16/techniques/T1112">Modify Registry</a>, <a href="/versions/v16/techniques/T1106">Native API</a>, <a href="/versions/v16/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v16/techniques/T1566">Phishing</a>: <a href="/versions/v16/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v16/techniques/T1057">Process Discovery</a>, <a href="/versions/v16/techniques/T1055">Process Injection</a>, <a href="/versions/v16/techniques/T1090">Proxy</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/005">VNC</a>, <a href="/versions/v16/techniques/T1014">Rootkit</a>, <a href="/versions/v16/techniques/T1082">System Information Discovery</a>, <a href="/versions/v16/techniques/T1221">Template Injection</a>, <a href="/versions/v16/techniques/T1204">User Execution</a>: <a href="/versions/v16/techniques/T1204/002">Malicious File</a>, <a href="/versions/v16/techniques/T1125">Video Capture</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank"> Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank"> Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1
Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>