Skip to content

S0229 Orz

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. 1 2

Item Value
ID S0229
Associated Names AIRBREAK
Type MALWARE
Version 2.2
Created 18 April 2018
Last Modified 19 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
AIRBREAK 2

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Orz can execute shell commands.1 Orz can execute commands with JavaScript.1
enterprise T1083 File and Directory Discovery Orz can gather victim drive information.1
enterprise T1070 Indicator Removal on Host Orz can overwrite Registry settings to reduce its visibility on the victim.1
enterprise T1105 Ingress Tool Transfer Orz can download files onto the victim.1
enterprise T1112 Modify Registry Orz can perform Registry operations.1
enterprise T1027 Obfuscated Files or Information Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.1
enterprise T1057 Process Discovery Orz can gather a process list from the victim.1
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.1
enterprise T1518 Software Discovery Orz can gather the victim’s Internet Explorer version.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.1
enterprise T1082 System Information Discovery Orz can gather the victim OS version and whether it is 64 or 32 bit.1
enterprise T1016 System Network Configuration Discovery Orz can gather victim proxy information.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Orz has used Technet and Pastebin web pages for command and control.1

Groups That Use This Software

ID Name References
G0065 Leviathan 134

References

Back to top