Skip to content

G0140 LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.1

Item Value
ID G0140
Associated Names
Version 1.0
Created 24 November 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.1
enterprise T1583.006 Web Services LazyScripter has established GitHub accounts to host its toolsets.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS LazyScripter has leveraged dynamic DNS providers for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell LazyScripter has used PowerShell scripts to execute malicious code.1
enterprise T1059.003 Windows Command Shell LazyScripter has used batch files to deploy open-source and multi-stage RATs.1
enterprise T1059.005 Visual Basic LazyScripter has used VBScript to execute malicious code.1
enterprise T1059.007 JavaScript LazyScripter has used JavaScript in its attacks.1
enterprise T1105 Ingress Tool Transfer LazyScripter had downloaded additional tools to a compromised host.1
enterprise T1036 Masquerading LazyScripter has used several different security software icons to disguise executables.1
enterprise T1027 Obfuscated Files or Information LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware LazyScripter has used a variety of open-source remote access Trojans for its operations.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.1
enterprise T1566.002 Spearphishing Link LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta LazyScripter has used mshta.exe to execute Koadic stagers.1
enterprise T1218.011 Rundll32 LazyScripter has used rundll32.exe to execute Koadic stagers.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link LazyScripter has relied upon users clicking on links to malicious files.1
enterprise T1204.002 Malicious File LazyScripter has lured users to open malicious email attachments.1
enterprise T1102 Web Service LazyScripter has used GitHub to host its payloads to operate spam campaigns.1

Software

ID Name References Techniques
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0250 Koadic - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Service Discovery Network Share Discovery Security Account Manager:OS Credential Dumping NTDS:OS Credential Dumping Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Rundll32:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services Windows Management Instrumentation
S0669 KOCTOPUS - Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Native API Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Proxy System Information Discovery Malicious Link:User Execution Malicious File:User Execution
S0508 Ngrok - Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S0385 njRAT - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0262 QuasarRAT - Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery Credentials In Files:Unsecured Credentials Video Capture
S0332 Remcos - Bypass User Account Control:Abuse Elevation Control Mechanism Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Python:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Process Injection Proxy Screen Capture Video Capture System Checks:Virtualization/Sandbox Evasion

References

Back to top