Skip to content

G0140 LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.1

Item Value
ID G0140
Associated Names
Version 1.1
Created 24 November 2021
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.1
enterprise T1583.006 Web Services LazyScripter has established GitHub accounts to host its toolsets.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS LazyScripter has leveraged dynamic DNS providers for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell LazyScripter has used PowerShell scripts to execute malicious code.1
enterprise T1059.003 Windows Command Shell LazyScripter has used batch files to deploy open-source and multi-stage RATs.1
enterprise T1059.005 Visual Basic LazyScripter has used VBScript to execute malicious code.1
enterprise T1059.007 JavaScript LazyScripter has used JavaScript in its attacks.1
enterprise T1105 Ingress Tool Transfer LazyScripter had downloaded additional tools to a compromised host.1
enterprise T1036 Masquerading LazyScripter has used several different security software icons to disguise executables.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware LazyScripter has used a variety of open-source remote access Trojans for its operations.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.1
enterprise T1566.002 Spearphishing Link LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta LazyScripter has used mshta.exe to execute Koadic stagers.1
enterprise T1218.011 Rundll32 LazyScripter has used rundll32.exe to execute Koadic stagers.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link LazyScripter has relied upon users clicking on links to malicious files.1
enterprise T1204.002 Malicious File LazyScripter has lured users to open malicious email attachments.1
enterprise T1102 Web Service LazyScripter has used GitHub to host its payloads to operate spam campaigns.1

Software

ID Name References Techniques
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0250 Koadic 1 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Data from Local System Asymmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Window:Hide Artifacts Ingress Tool Transfer Network Service Discovery Network Share Discovery NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Regsvr32:System Binary Proxy Execution Rundll32:System Binary Proxy Execution Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services Windows Management Instrumentation
S0669 KOCTOPUS 1 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information Hidden Window:Hide Artifacts Disable or Modify Tools:Impair Defenses Clear Persistence:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Modify Registry Native API Command Obfuscation:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Proxy System Information Discovery Malicious File:User Execution Malicious Link:User Execution
S0508 Ngrok 1 Domain Generation Algorithms:Dynamic Resolution Exfiltration Over Web Service Protocol Tunneling Proxy Web Service
S0385 njRAT 1 Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0262 QuasarRAT 1 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0332 Remcos 1 Bypass User Account Control:Abuse Elevation Control Mechanism Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Process Injection Proxy Screen Capture Video Capture System Checks:Virtualization/Sandbox Evasion

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.