LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]

ID: G0140
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 24 November 2021
Last Modified: 15 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.[1]

.006 Acquire Infrastructure: Web Services

LazyScripter has established GitHub accounts to host its toolsets.[1]

Enterprise T1071 .004 Application Layer Protocol: DNS

LazyScripter has leveraged dynamic DNS providers for C2 communications.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LazyScripter has used PowerShell scripts to execute malicious code.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

LazyScripter has used batch files to deploy open-source and multi-stage RATs.[1]

.005 Command and Scripting Interpreter: Visual Basic

LazyScripter has used VBScript to execute malicious code.[1]

.007 Command and Scripting Interpreter: JavaScript

LazyScripter has used JavaScript in its attacks.[1]

Enterprise T1105 Ingress Tool Transfer

LazyScripter had downloaded additional tools to a compromised host.[1]

Enterprise T1036 Masquerading

LazyScripter has used several different security software icons to disguise executables.[1]

Enterprise T1027 Obfuscated Files or Information

LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

LazyScripter has used a variety of open-source remote access Trojans for its operations.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.[1]

.002 Phishing: Spearphishing Link

LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.[1]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

LazyScripter has used mshta.exe to execute Koadic stagers.[1]

.011 System Binary Proxy Execution: Rundll32

LazyScripter has used rundll32.exe to execute Koadic stagers.[1]

Enterprise T1204 .001 User Execution: Malicious Link

LazyScripter has relied upon users clicking on links to malicious files.[1]

.002 User Execution: Malicious File

LazyScripter has lured users to open malicious email attachments.[1]

Enterprise T1102 Web Service

LazyScripter has used GitHub to host its payloads to operate spam campaigns.[1]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Access Token Manipulation: SID-History Injection, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0250 Koadic [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Data from Local System, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Network Service Discovery, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Rundll32, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0669 KOCTOPUS [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Proxy, System Information Discovery, User Execution: Malicious Link, User Execution: Malicious File
S0508 Ngrok [1] Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262 QuasarRAT [1] Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332 Remcos [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References