Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [1] [2]
Associated Software Descriptions
| Name | Description |
|---|---|
| AIRBREAK | [2] |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1059 | Command-Line Interface | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1070 | Indicator Removal on Host |
Orz can overwrite Registry settings to reduce its visibility on the victim.[1] |
| Enterprise | T1027 | Obfuscated Files or Information |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[1] |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1093 | Process Hollowing |
Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.[1] |
| Enterprise | T1117 | Regsvr32 |
Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.[1] |
| Enterprise | T1105 | Remote File Copy | |
| Enterprise | T1064 | Scripting |
Orz can execute commands with script as well as execute JavaScript.[1] |
| Enterprise | T1518 | Software Discovery | |
| Enterprise | T1082 | System Information Discovery |
Orz can gather the victim OS version and whether it is 64 or 32 bit.[1] |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1102 | Web Service |
Orz has used Technet and Pastebin web pages for command and control.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan | [1] |