LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.^[1]

ID: G0140

Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation

Version: 1.1

Created: 24 November 2021

Last Modified: 22 March 2023

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1583	.001	Acquire Infrastructure: Domains	LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.^[1]
		.006	Acquire Infrastructure: Web Services	LazyScripter has established GitHub accounts to host its toolsets.^[1]
Enterprise	T1071	.004	Application Layer Protocol: DNS	LazyScripter has leveraged dynamic DNS providers for C2 communications.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	LazyScripter has used PowerShell scripts to execute malicious code.^[1]
		.003	Command and Scripting Interpreter: Windows Command Shell	LazyScripter has used batch files to deploy open-source and multi-stage RATs.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	LazyScripter has used VBScript to execute malicious code.^[1]
		.007	Command and Scripting Interpreter: JavaScript	LazyScripter has used JavaScript in its attacks.^[1]
Enterprise	T1105		Ingress Tool Transfer	LazyScripter had downloaded additional tools to a compromised host.^[1]
Enterprise	T1036		Masquerading	LazyScripter has used several different security software icons to disguise executables.^[1]
Enterprise	T1027	.010	Obfuscated Files or Information: Command Obfuscation	LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.^[1]
Enterprise	T1588	.001	Obtain Capabilities: Malware	LazyScripter has used a variety of open-source remote access Trojans for its operations.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.^[1]
		.002	Phishing: Spearphishing Link	LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.^[1]
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.^[1]
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	LazyScripter has used `mshta.exe` to execute Koadic stagers.^[1]
		.011	System Binary Proxy Execution: Rundll32	LazyScripter has used `rundll32.exe` to execute Koadic stagers.^[1]
Enterprise	T1204	.001	User Execution: Malicious Link	LazyScripter has relied upon users clicking on links to malicious files.^[1]
		.002	User Execution: Malicious File	LazyScripter has lured users to open malicious email attachments.^[1]
Enterprise	T1102		Web Service	LazyScripter has used GitHub to host its payloads to operate spam campaigns.^[1]

Software

ID	Name	References	Techniques
S0363	Empire	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0250	Koadic	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Network Service Discovery, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Mshta, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0669	KOCTOPUS	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Deobfuscate/Decode Files or Information, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information: Command Obfuscation, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Proxy, System Information Discovery, User Execution: Malicious File, User Execution: Malicious Link
S0508	ngrok	^[1]	Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S0385	njRAT	^[1]	Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262	QuasarRAT	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data from Local System, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Window, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Non-Standard Port, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332	Remcos	^[1]	Abuse Elevation Control Mechanism: Bypass User Account Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References

Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

LazyScripter

Enterprise Layer

Techniques Used

Software

References