Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа LazyScripter
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
LazyScripter
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)
ID: G0140
Associated Groups: 
Version: 1.0
Created: 24 Nov 2021
Last Modified: 15 Apr 2022

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.(Citation: MalwareBytes LazyScripter Feb 2021)
.006 Acquire Infrastructure: Web Services

LazyScripter has established GitHub accounts to host its toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1071 .004 Application Layer Protocol: DNS

LazyScripter has leveraged dynamic DNS providers for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LazyScripter has used PowerShell scripts to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

LazyScripter has used batch files to deploy open-source and multi-stage RATs.(Citation: MalwareBytes LazyScripter Feb 2021)

.005 Command and Scripting Interpreter: Visual Basic

LazyScripter has used VBScript to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)

.007 Command and Scripting Interpreter: JavaScript

LazyScripter has used JavaScript in its attacks.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1588 .001 Obtain Capabilities: Malware

LazyScripter has used a variety of open-source remote access Trojans for its operations.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.(Citation: MalwareBytes LazyScripter Feb 2021)
.002 Phishing: Spearphishing Link

LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.(Citation: MalwareBytes LazyScripter Feb 2021)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

LazyScripter has used `mshta.exe` to execute Koadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021)

.011 System Binary Proxy Execution: Rundll32

LazyScripter has used `rundll32.exe` to execute Koadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021)

Enterprise T1204 .001 User Execution: Malicious Link

LazyScripter has relied upon users clicking on links to malicious files.(Citation: MalwareBytes LazyScripter Feb 2021)
.002 User Execution: Malicious File

LazyScripter has lured users to open malicious email attachments.(Citation: MalwareBytes LazyScripter Feb 2021)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0332 Remcos (Citation: Fortinet Remcos Feb 2017) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Riskiq Remcos Jan 2018) (Citation: Talos Remcos Aug 2018) Registry Run Keys / Startup Folder, Clipboard Data, Process Injection, Python, Proxy, Modify Registry, Obfuscated Files or Information, System Checks, Windows Command Shell, Bypass User Account Control, Screen Capture, Ingress Tool Transfer, Keylogging, Video Capture, File and Directory Discovery, Audio Capture
S0508 Ngrok (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018) Protocol Tunneling, Domain Generation Algorithms, Exfiltration Over Web Service, Proxy, Web Service
S0250 Koadic (Citation: Github Koadic) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Palo Alto Sofacy 06-2018) System Network Configuration Discovery, System Information Discovery, Visual Basic, Mshta, Dynamic-link Library Injection, Regsvr32, System Owner/User Discovery, Hidden Window, Security Account Manager, Ingress Tool Transfer, Web Protocols, Windows Management Instrumentation, PowerShell, Clipboard Data, Bypass User Account Control, Network Service Discovery, Remote Desktop Protocol, Windows Command Shell, File and Directory Discovery, Registry Run Keys / Startup Folder, NTDS, Service Execution, Data from Local System, Asymmetric Cryptography, Network Share Discovery, Rundll32, Scheduled Task
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Obfuscated Files or Information, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Remote Desktop Protocol, Keylogging, Symmetric Cryptography, Credentials from Web Browsers, Registry Run Keys / Startup Folder, Hidden Window, System Information Discovery, Ingress Tool Transfer, System Location Discovery, Modify Registry, Hidden Files and Directories, System Owner/User Discovery, Bypass User Account Control, Data from Local System, Non-Application Layer Protocol, System Network Configuration Discovery, Credentials from Password Stores, Credentials In Files, Windows Command Shell, Proxy, Non-Standard Port, Code Signing, Scheduled Task, Video Capture
S0669 KOCTOPUS (Citation: MalwareBytes LazyScripter Feb 2021) Spearphishing Attachment, Deobfuscate/Decode Files or Information, Malicious File, Proxy, Modify Registry, Spearphishing Link, System Information Discovery, Hidden Window, Windows Command Shell, Ingress Tool Transfer, Disable or Modify Tools, Malicious Link, Clear Persistence, Match Legitimate Name or Location, Native API, PowerShell, Bypass User Account Control, Obfuscated Files or Information, Visual Basic, Registry Run Keys / Startup Folder

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.