Malware: Orz

Description

[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

External References

• mitre-attack
• Proofpoint Leviathan Oct 2017
• FireEye Periscope March 2018

Techniques Used by This Malware

• T1016 — System Network Configuration Discovery
• T1027 — Obfuscated Files or Information
• T1055.012 — Process Hollowing
• T1057 — Process Discovery
• T1059.003 — Windows Command Shell
• T1070 — Indicator Removal
• T1082 — System Information Discovery
• T1083 — File and Directory Discovery
• T1102.002 — Bidirectional Communication
• T1105 — Ingress Tool Transfer
• T1112 — Modify Registry
• T1218.010 — Regsvr32
• T1518 — Software Discovery

APT Groups Using This Malware

• Leviathan