S0229 Orz
Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. 1 2
| Item | Value |
|---|---|
| ID | S0229 |
| Associated Names | AIRBREAK |
| Type | MALWARE |
| Version | 2.2 |
| Created | 18 April 2018 |
| Last Modified | 19 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| AIRBREAK | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Orz can execute shell commands.1 Orz can execute commands with JavaScript.1 |
| enterprise | T1083 | File and Directory Discovery | Orz can gather victim drive information.1 |
| enterprise | T1070 | Indicator Removal | Orz can overwrite Registry settings to reduce its visibility on the victim.1 |
| enterprise | T1105 | Ingress Tool Transfer | Orz can download files onto the victim.1 |
| enterprise | T1112 | Modify Registry | Orz can perform Registry operations.1 |
| enterprise | T1027 | Obfuscated Files or Information | Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.1 |
| enterprise | T1057 | Process Discovery | Orz can gather a process list from the victim.1 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.1 |
| enterprise | T1518 | Software Discovery | Orz can gather the victim’s Internet Explorer version.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.010 | Regsvr32 | Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.1 |
| enterprise | T1082 | System Information Discovery | Orz can gather the victim OS version and whether it is 64 or 32 bit.1 |
| enterprise | T1016 | System Network Configuration Discovery | Orz can gather victim proxy information.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Orz has used Technet and Pastebin web pages for command and control.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0065 | Leviathan | 134 |
References
-
Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. ↩↩
-
CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. ↩
-
Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. ↩