Security research by Malwarebytes uncovered a new threat group targeting the members of the International Air Transport Association (IATA), multiple airlines, and several individuals who are planning to emigrate to Canada for jobs. Dubbed “LazyScripter,” the hacking group is leveraging unusual phishing tactics and tools to target the victims.
Active since 2018, Malwarebytes discovered LazyScripter operators in December 2020. The research report suggests that LazyScripter deployed Powershell Empire on victims’ devices using a payload known as Emploader. However, the threat actors recently switched to Octopus and Koadic, which are installed using Kocktopus payload.
LazyScripter’s Phishing Baits
The operators behind LazyScripter used several techniques to trick users into clicking or downloading malicious URLs or attachments to infect their devices. The main intention of LazyScripter operators is to pilfer critical information and intelligence from the targeted victims. The phishing baits used by these actors include:
- IATA security (International Air Transport Association security)
- BSPlink Updater or Upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA Billing and Settlement Plan (BSP)).
- IATA ONE ID
- User support kits for IATA users
- Tourism (UNWTO)
- COVID-19 related information
- Microsoft Updates
- Job information
- Canada skill worker program
- Canada Visa (CanadaVisa.com is the online presence of the Campbell Cohen Immigration Law Firm)
Malwarebytes’ researchers found 14 malicious documents used by the threat actors’ group since 2018, which carried embedded objects that are variants of the KOCTOPUS or Empoder payloads.
“We were able to collect some of the spam emails used by this actor over the past two years. In these spam emails, the actor used several methods to redirect the user to download a variant of KOCTOPUS. The latest campaign was spotted on February 5, 2021, in which the actor was distributing a variant of KOCTOPUS pretending to be ‘BSPLink Upgrade.exe’ and managed to drop a variant of Quasar Rat in addition to OCTOPUS and Koadic. Before that we have spotted another campaign on Jan 6th, 2021 in which the actors were distributing a variant of KOCTOPUS pretending to be ‘IATA ONE ID.exe’ software,” Malwarebytes said.