1. Home
  2. Groups
  3. LazyScripter

LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]

ID: G0140
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.1
Created: 24 November 2021
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 伪装

LazyScripter has used several different security software icons to disguise executables.[1]

Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

LazyScripter has used PowerShell scripts to execute malicious code.[1]
.003 命令与脚本解释器: Windows Command Shell

LazyScripter has used batch files to deploy open-source and multi-stage RATs.[1]
.005 命令与脚本解释器: Visual Basic

LazyScripter has used VBScript to execute malicious code.[1]
.007 命令与脚本解释器: JavaScript

LazyScripter has used JavaScript in its attacks.[1]

Enterprise T1071 .004 应用层协议: DNS

LazyScripter has leveraged dynamic DNS providers for C2 communications.[1]

Enterprise T1608 .001 暂存能力: Upload Malware

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.[1]
Enterprise T1204 .001 用户执行: Malicious Link

LazyScripter has relied upon users clicking on links to malicious files.[1]
.002 用户执行: Malicious File

LazyScripter has lured users to open malicious email attachments.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

LazyScripter has used mshta.exe to execute Koadic stagers.[1]

.011 系统二进制代理执行: Rundll32

LazyScripter has used rundll32.exe to execute Koadic stagers.[1]

Enterprise T1102 网络服务

LazyScripter has used GitHub to host its payloads to operate spam campaigns.[1]

Enterprise T1583 .001 获取基础设施: Domains

LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.[1]
.006 获取基础设施: Web Services

LazyScripter has established GitHub accounts to host its toolsets.[1]
Enterprise T1588 .001 获取能力: Malware

LazyScripter has used a variety of open-source remote access Trojans for its operations.[1]
Enterprise T1105 输入工具传输

LazyScripter had downloaded additional tools to a compromised host.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.[1]
.002 钓鱼: Spearphishing Link

LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.[1]

Software

ID Name References Techniques
S0363 Empire [1] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0250 Koadic [1] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Asymmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control, 系统二进制代理执行: Mshta, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 网络服务发现, 输入工具传输, 进程注入: Dynamic-link Library Injection, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 预定任务/作业: Scheduled Task
S0669 KOCTOPUS [1] 代理, 伪装: Match Legitimate Name or Location, 修改注册表, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 妨碍防御: Disable or Modify Tools, 本机API, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 用户执行: Malicious Link, 移除指标: Clear Persistence, 系统信息发现, 输入工具传输, 钓鱼: Spearphishing Attachment, 钓鱼: Spearphishing Link, 隐藏伪装: Hidden Window
S0508 ngrok [1] 代理, 动态解析: Domain Generation Algorithms, 协议隧道, 网络服务, 通过网络服务渗出
S0385 njRAT [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0262 QuasarRAT [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0332 Remcos [1] 代理, 修改注册表, 剪贴板数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 文件和目录发现, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 虚拟化/沙盒规避: System Checks, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程注入, 音频捕获

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.