Currently viewing ATT&CK v15.1 which was live between April 23, 2024 and October 30, 2024. Learn more about the versioning system or see the live site.
  1. Home
  2. Groups
  3. LazyScripter

LazyScripter

LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]

ID: G0140
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.1
Created: 24 November 2021
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.[1]
.006 Acquire Infrastructure: Web Services

LazyScripter has established GitHub accounts to host its toolsets.[1]
Enterprise T1071 .004 Application Layer Protocol: DNS

LazyScripter has leveraged dynamic DNS providers for C2 communications.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LazyScripter has used PowerShell scripts to execute malicious code.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

LazyScripter has used batch files to deploy open-source and multi-stage RATs.[1]
.005 Command and Scripting Interpreter: Visual Basic

LazyScripter has used VBScript to execute malicious code.[1]
.007 Command and Scripting Interpreter: JavaScript

LazyScripter has used JavaScript in its attacks.[1]

Enterprise T1105 Ingress Tool Transfer

LazyScripter had downloaded additional tools to a compromised host.[1]
Enterprise T1036 Masquerading

LazyScripter has used several different security software icons to disguise executables.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

LazyScripter has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.[1]
Enterprise T1588 .001 Obtain Capabilities: Malware

LazyScripter has used a variety of open-source remote access Trojans for its operations.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

LazyScripter has used spam emails weaponized with archive or document files as its initial infection vector.[1]
.002 Phishing: Spearphishing Link

LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.[1]
Enterprise T1608 .001 Stage Capabilities: Upload Malware

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.[1]
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

LazyScripter has used mshta.exe to execute Koadic stagers.[1]

.011 System Binary Proxy Execution: Rundll32

LazyScripter has used rundll32.exe to execute Koadic stagers.[1]

Enterprise T1204 .001 User Execution: Malicious Link

LazyScripter has relied upon users clicking on links to malicious files.[1]
.002 User Execution: Malicious File

LazyScripter has lured users to open malicious email attachments.[1]
Enterprise T1102 Web Service

LazyScripter has used GitHub to host its payloads to operate spam campaigns.[1]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: SID-History Injection, Access Token Manipulation, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Automated Collection, Automated Exfiltration, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Browser Information Discovery, Clipboard Data, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain or Tenant Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Code Repository, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Dylib Hijacking, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Credentials In Files, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation
S0250 Koadic [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Window, Ingress Tool Transfer, Network Service Discovery, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Binary Proxy Execution: Mshta, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Rundll32, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, Windows Management Instrumentation
S0669 KOCTOPUS [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Deobfuscate/Decode Files or Information, Hide Artifacts: Hidden Window, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information: Command Obfuscation, Phishing: Spearphishing Attachment, Phishing: Spearphishing Link, Proxy, System Information Discovery, User Execution: Malicious File, User Execution: Malicious Link
S0508 ngrok [1] Dynamic Resolution: Domain Generation Algorithms, Exfiltration Over Web Service, Protocol Tunneling, Proxy, Web Service
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262 QuasarRAT [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data from Local System, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Window, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Non-Standard Port, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332 Remcos [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References

  1. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.