ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Operation Layover

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Layover

NamesOperation Layover (Talos)
CountryNigeria Nigeria
MotivationInformation theft and espionage
First seen2013
Description(Talos) Cisco Talos and other security researchers have recently reported on a series of malicious campaigns targeting the aviation industry. These reports mainly center around the crypter that hides the usage of commodity malicious remote access tools.

We decided this would be a good starting point to demonstrate how a researcher can pivot from the initial discovery of a RAT and eventually profile a threat actor. This post will show how we discovered previous campaigns targeting the aviation industry, which links back to an actor that's been active for approximately six years.

We believe the actor is based out of Nigeria with a high degree of confidence and doesn't seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware. The actor also buys the crypters that allow the usage of such malware without being detected, throughout the years it has used several different cryptors, mostly bought on online forums.

We also believe with a high degree of confidence that the actor has been active for at least five years. For the last two, they've been targeting the aviation industry, while conducting other campaigns at the same time. Pivoting from an initial discovery is not an exact science — in this process, a researcher must assert a certain level of confidence in these associations.
Observed
Tools usedAsyncRAT, CyberGate RAT, njRAT.
Information<https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html>

Last change to this card: 02 November 2021

Download this actor card in PDF or JSON format

Previous: Operation Harvest
Next: Operation Manul

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key