1. Home
  2. Software
  3. Orz

Orz

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. [1] [2]

ID: S0229
Associated Software: AIRBREAK
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 18 April 2018
Last Modified: 16 April 2025
Version Permalink

Associated Software Descriptions

Name Description
AIRBREAK

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Orz can execute shell commands.[1] Orz can execute commands with JavaScript.[1]
Enterprise T1083 File and Directory Discovery

Orz can gather victim drive information.[1]
Enterprise T1070 Indicator Removal

Orz can overwrite Registry settings to reduce its visibility on the victim.[1]
Enterprise T1105 Ingress Tool Transfer

Orz can download files onto the victim.[1]
Enterprise T1112 Modify Registry

Orz can perform Registry operations.[1]
Enterprise T1027 Obfuscated Files or Information

Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.[1]
Enterprise T1057 Process Discovery

Orz can gather a process list from the victim.[1]
Enterprise T1055 .012 Process Injection: Process Hollowing

Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.[1]
Enterprise T1518 Software Discovery

Orz can gather the victim's Internet Explorer version.[1]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.[1]
Enterprise T1082 System Information Discovery

Orz can gather the victim OS version and whether it is 64 or 32 bit.[1]
Enterprise T1016 System Network Configuration Discovery

Orz can gather victim proxy information.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

Orz has used Technet and Pastebin web pages for command and control.[1]

Groups That Use This Software

ID Name References
G0065 Leviathan

[1][3][4]

References

  1. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  1. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  2. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.