Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Orz
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Orz
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Orz

Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)
ID: S0229
Associated Software: AIRBREAK
Type: MALWARE
Platforms: Windows
Version: 2.2
Created: 18 Apr 2018
Last Modified: 19 Apr 2022

Associated Software Descriptions
Name Description
AIRBREAK (Citation: FireEye Periscope March 2018)

Techniques Used
Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Orz can execute shell commands.(Citation: Proofpoint Leviathan Oct 2017) Orz can execute commands with JavaScript.(Citation: Proofpoint Leviathan Oct 2017)
Enterprise T1055 .012 Process Injection: Process Hollowing

Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.(Citation: Proofpoint Leviathan Oct 2017)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.(Citation: Proofpoint Leviathan Oct 2017)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Orz has used Technet and Pastebin web pages for command and control.(Citation: Proofpoint Leviathan Oct 2017)

Groups That Use This Software
ID Name References
G0065 Leviathan

(Citation: Proofpoint Leviathan Oct 2017) (Citation: CISA AA21-200A APT40 July 2021) (Citation: Accenture MUDCARP March 2019)

References

  1. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  2. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  3. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  4. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.