Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [1] [2]
Associated Software Descriptions
| Name | Description |
|---|---|
| AIRBREAK | [2] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Orz can execute shell commands.[1] Orz can execute commands with JavaScript.[1] |
| Enterprise | T1083 | File and Directory Discovery | ||
| Enterprise | T1070 | Indicator Removal on Host |
Orz can overwrite Registry settings to reduce its visibility on the victim.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1027 | Obfuscated Files or Information |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[1] |
|
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.[1] |
| Enterprise | T1218 | .010 | Signed Binary Proxy Execution: Regsvr32 |
Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.[1] |
| Enterprise | T1518 | Software Discovery | ||
| Enterprise | T1082 | System Information Discovery |
Orz can gather the victim OS version and whether it is 64 or 32 bit.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Orz has used Technet and Pastebin web pages for command and control.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan |