Security researchers at Malwarebytes released a new report detailing activities of a recently identified threat actor that has been targeting the International Air Transport Association (IATA) and airlines since at least 2018.
Referred to as 'LazyScripter', the group’s primary goal appears to be to gather information and intelligence from victims. Malwarebytes said it discovered a targeted spam campaign in December 2020 using phishing lures aimed at individuals seeking immigration to Canada for employment. The observed phishing emails contained either VBScript or batch files that delivered two opensource multi-stage Remote Access Trojans (RATs) named Octopus and Koadic, and in some cases other RATs such as LuminosityLink, RMS, Quasar, njRat and Remcos.
In addition to job seekers, LazyScripter was also observed targeting the International Air Transport Association (IATA) and airlines that are using the BSPLink software. In the latest attacks the threat actor switched to new phishing lures related to a new feature recently introduced by IATA called IATA ONE ID (Contactless Passenger Processing tool), suggesting that the LazyScripter group is constantly updating its toolsets to target new systems developed by IATA.
The researchers said that LazyScripter is not as sophisticated as other Advanced Persistent Threat (APT) groups and mostly relies on open source and commercially available RATs in its campaigns.
The latest campaign was observed on Feb 5th, 2021 in which the actor was distributing a variant of KOCTOPUS masqueraded as “BSPLink Upgrade.exe” and managed to drop a variant of Quasar Rat in addition to OCTOPUS and Koadic.
For command and control operations LazyScripter uses dynamic DNS providers creating dynamic DNS domains for the communications.
The Koadic RAT is known to have been used in the past by the Iran-linked Muddy Water and Russia-linked APT28 threat actors. Despite some similarities between LazyScripter and other known APT groups, Malwarebytes believes that LazyScripter is a separate group based on several major differences in threat actors’ operations.
“In terms of used infrastructure, we have seen several APT groups that have used dynamic DNS for their C&C communications including Scarlet Mimic, Putter Panda, Turla, Patchwork and APT33. More specifically Scarlet Mimic and Putter Panda have used the same free DNS provider “firewall-gateway.net” for their C&C communications. Still, we have not found any other similarities between these APTs and the actor we analyzed in this report except using a free DNS provider which is not reliable in the attribution process,” the researchers said.