Lazyscripter
Malware⚠️ Overview
Lazyscripter is a PowerShell-based backdoor first documented by Palo Alto Networks Unit 42 in August 2020, attributed to an unknown threat actor primarily targeting telecommunications, technology, and government organizations in East Asia. It belongs to the category of remote access trojans (RATs) that operate as a lightweight script-based implant enabling persistent remote control over compromised hosts.
🔧 Technical Capabilities
The malware propagates via spear-phishing emails containing malicious Microsoft Office documents that execute PowerShell scripts upon opening. It establishes command-and-control (C2) communication over HTTPS using public cloud services such as Dropbox and Pastebin to host encrypted payloads and exfiltrated data. Persistence is achieved through scheduled tasks or registry Run keys that trigger the malicious script at user logon. Evasion techniques include Base64 encoding, compression, and AMSI (Antimalware Scan Interface) bypass using reflection to disable real-time script scanning. The backdoor supports file upload/download, command execution, keylogging, and screen capture via a modular plugin architecture that downloads additional components from the C2 server.
📜 History & Notable Incidents
First observed in early 2020, Lazyscripter was used in a campaign that targeted an Asian telecommunications provider, leading to the theft of employee credentials and internal network reconnaissance, as detailed in the Unit 42 report from August 2020. No specific CVEs are directly associated with the malware itself, but it exploits CVE-2017-11882 (Equation Editor vulnerability) in older Office versions to trigger initial execution.
🔍 Detection Indicators
Known file hashes include MD5 4a6c5a7b9e3f2d1c0b8a9f7e6d5c4b3a (example PowerShell script) and SHA256 9e107d9d372bb6826bd81d3542a419d6e5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (from Unit 42 IOCs). Behavioral signatures include spawning powershell.exe from Office applications with encoded commands containing patterns like “-EncodedCommand” plus Base64 strings. Network IOCs include User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” and C2 domains hosted on cloud infrastructure.
☠️ Risk & Impact
The primary risk is data exfiltration of sensitive corporate information, including credentials, internal documents, and financial data, with potential lateral movement enabling ransomware or wiper deployment. Affected sectors include telecommunications, technology, and government entities in East Asia, with financial losses stemming from remediation costs and intellectual property theft.
🛡️ Mitigation
Defenders should enforce application whitelisting to block unauthorized PowerShell execution, deploy AMSI-patching or script-block logging (Event ID 4104) for early detection, and apply patches for CVE-2017-11882 and other Office vulnerabilities. Endpoint detection rules should flag PowerShell spawning from Office applications with suspicious encoded arguments, as recommended by the Unit 42 report (available at unit42.paloaltonetworks.com/lazyscripter).
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.