LazyScripter targets airlines and job seekers.
By Tim Nodar, staff writer, the CyberWire
Feb 24, 2021

LazyScripter targets airlines and job seekers.

Researchers at Malwarebytes are tracking a new threat actor dubbed “LazyScripter” that’s targeting airlines and job seekers with malware-laden phishing documents. 

Open-source RATs.

The threat actor is using the open-source remote access Trojans Octopus and Koadic, as well as LuminosityLink, RMS, Quasar, njRat, and Remcos. In every recent instance, the actor has used its own loader, which the researchers have named "KOCTOPUS." In the past, LazyScripter delivered PowerShell Empire via a loader dubbed "Empoder" before shifting to Octopus and Koadic. The actor uses GitHub to host its malware. It deleted two of its GitHub accounts in January 2021 before creating a new one on February 2nd.

Rather than using malicious macros in Office documents, the actor embeds executables, batch files, or VBScript files within the documents under the guise of PDF, Excel, or Word icons.

Phishbait ranges from job-seeking to COVID-19.

Beginning in August 2018, LazyScripter targeted people seeking immigration to Canada through job-seeking programs. The actor continued using job-related lures through January of 2020, then shifted to COVID-19-themed lures. The most recent activity, beginning in November 2020, targeted the International Air Transport Association (IATA) and airlines that use BSPLink, a software interface for accessing IATA's Billing and Settlement Plan. Notably, some recent phishing lures are related to IATA's new document-free passenger processing tool, IATA One ID, which the researchers say "indicates that this actor is constantly updating its toolsets to target new systems developed by IATA."

The researchers aren't sure why the threat actor is targeting these sectors specifically, but they say the attackers are conducting cyberespionage. "What we can say at this point is that the actor is trying to steal information and gather intelligence from the victims," said Hossein Jazi, Senior Threat Intelligence analyst at Malwarebytes. "Also, it is possible that the actor planned to steal this information for future targeted attacks or share with other actors."

Some code-sharing, but probably a new threat actor?

Malwarebytes notes that the only two threat actors known to have used the Koadic Trojan are Russia’s APT28 and the Iran-associated MuddyWater. The researchers say there are no other links to APT28, but there are some additional ties to MuddyWater. Specifically, LazyScripter and MuddyWater have both used Koadic and PowerShell Empire, both rely on scripting languages like PowerShell and JavaScript, and both have hosted their tools on GitHub.

Still, the researchers believe the differences between the two groups are significant enough to warrant LazyScripter being tracked as a new threat actor, and they don’t attribute the activity to any particular nation-state. In particular, they point to the fact that LazyScripter primarily relies on open-source tools that haven't been used by MuddyWater, while MuddyWater tends to use custom-made malware.

The researchers also observe that LazyScripter uses a free dynamic DNS provider for its command-and-control infrastructure. This DNS provider has been used by multiple Chinese, Iranian, and Russian threat actors, and by itself is insufficient for attribution.