Orz

Orz is a malicious software (malware) known for its detrimental capabilities to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt operations, or hold data hostage for ransom. The malware has been utilized by cyber actors since 2014, primarily as a backdoor for decrypting and executing another JavaScript backdoor. Some versions of the Orz backdoor contain embedded 32- and 64-bit DLLs, stored internally as base64 strings. These DLLs are used for decrypting and executing the final JavaScript backdoor “Orz”. The Orz malware communicates with its command and control (CnC) servers, allowing it to send passwords and other sensitive information back to the attackers. This communication was observed in the ETPRO TROJAN Orz JavaScript Backdoor activities, with specific identifiers being 2828317 and 2828316. In addition, a secondary C2 was identified in December 2014, further emphasizing the long-standing use of this malware. A snippet of the Orz backdoor code was also found delivered by a Microsoft Publisher document, demonstrating one of the various infiltration techniques employed. Orz is part of a larger set of tools used by TEMP.Periscope, a group suspected of Chinese origin, which includes other malware like AIRBREAK, Cobalt Strike, the SeDll JavaScript loader, and MockDll dll loader. TEMP.Periscope shares significant overlaps in targeting, tactics, techniques, and procedures (TTPs) with TEMP.Jumper, a group that also overlaps significantly with public reporting on “NanHaiShu.” In recent activities, TEMP.Periscope has leveraged a relatively large library of shared malware, including Orz, indicating a coordinated and sophisticated threat landscape.