LazyScripter APT Description
Infosec researchers believe that they have managed to isolate the activity of a new APT (Advanced Persistent Threat) group that they have named LazyScript. It must be noted that LazyScript shares quite a lot of similarities with multiple already established APT groups, mainly those from the Middle East. For example, both LazyScript and MuddyWater have been observed as using the Empire and Koadic malware tools, PowerShell and GitHub as payload repositories. The Russian-based group known as APT28 (aka FancyBear) also has used the Koadic malware in the past. Besides, the methodology used by LazyScript to convert PowerShell scripts into executable files is the same as that of the OilRig APT.
There are enough unique aspects about LazyScript to justify establishing them as a separate entity. The group appears to have an extremely narrow set of targets - the International Air Transport Association (IATA), multiple other airline operators, and selected individuals that may be planning to move to Canada as part of government job-related programs. The aim of the hackers is to obtain sensitive information from their victims that can then be weaponized both as part of current activities and future operations. Another characteristic that sets LazyScript apart is the relatively lower sophistication in the malware toolset when compared to other ATP groups. Indeed, the threatening arsenal of LazyScript seems to be comprised mostly of open source or commercially available remote access tools without any custom-made RAT threats. So far LazyScript has been relying on the following malware threats:
- Octopus - open-source Windows RAT that can harvest and exfiltrate data, establish reconnaissance routines and conduct system profiling.
- Koadic - open-source tool used for penetration testing, delivering payloads and generating implants.
- LuminosityLink - RAT used for remote control over the infected systems and espionage activities
- Remcos - RAT that allows the attackers to establish full control over the compromised device
- KOCTUPUS - threatening loader tasked with initiating PowerShell Empire on the infected devices.
LazyScript's attacks begin with the dissemination of spam emails containing phishing lures to individuals of interest. The phishing emails may employ several different scenarios designed to attract the attention of the victim. The most used themes are closely connected to the targets of the hackers - the IATA, airlines, and travels to Canada as part of job-related programs. The hackers also have used baits linked to a financial settlement service named BSPLink, COVID-19, Microsoft updates, tourism, or Canadian worker-related programs. It has been confirmed that in one instance the hackers even employed a legitimate Canadian immigration website in their phishing scheme.