The Group’s Discovery
The new threat group was discovered by Malwarebytes researchers while analyzing phishing emails targeting individuals looking for work in Canada. Further investigation led researchers to discover that the group had been active since 2018 but had remained unidentified. Initially researchers tried to attribute the group’s activities to known APT groups but found this was not possible. “In terms of attribution. It’s hard to really attribute this group to any known groups,” said Hossein Jazi, senior threat intelligence analyst at Malwarebytes. “Even though some similarities between this actor and documented APT actors such as APT28 and OilRig exist, these indicators are not enough to attribute to any of these groups,” Malwarebytes states in its report on LazyScripter. Consequently, the researchers decided they had discovered a new APT group, which they nicknamed LazyScripter.
LazyScripter’s Origins
APT groups are usually tracked according to their targets and the type of tools and methods they use. Researchers found that LazyScripter resembled the threat actors OilRig, APT28 (aka Fancy Bear) and MuddyWater, but not closely enough. LayzScripter is like the Iranian group OilRig and the Russian group APT28 in as much as it uses similar malware. Of the three threat actors, however, LazyScripter was found to be most like the Iranian APT group MuddyWater. Nevertheless, unlike MuddyWater, LazyScripter does not conduct targeted campaigns, relying on spam to reach its victims instead. Furthermore, the malware used by LazyScripter has not been used by MuddyWater in the past. LazyScripter uses widely available toolsets whereas MuddyWater uses custom malware tools in its operations. Nonetheless, due to its similarities to the two Middle Eastern actors, Jazi stated that “there is a high chance that the actor is based in the Middle East.”
The Group’s Motives
LazyScripter’s targeted spam campaign is believed to date back to at least 2018. Its targets are mainly the International Air Transport Association, airlines and individuals looking to move to Canada for work. The group’s motive appears to be stealing private information and business intelligence for use in future targeted attacks. The group uses phishing emails to attack its victims, which typically contain malicious documents and ZIP archives. Usually the attached documents are pdf, Microsoft Word or Excel files that contain one or two embedded objects. These objects link to GitHub from which two open-source multistage RATs, Octopus and Koadic, are downloaded and deployed onto victims’ systems. Koadic is a publicly available Windows post-exploitation and penetration testing tool. Octopus is a Windows Trojan that, among other things, enables data theft. As well as phishing emails targeting the airline industry, the group has sent other themed emails. These have included emails related to BSPLink, a financial settlement service many airlines use, Covid-19 and Microsoft updates. Also sent out were tourism and visa related phishing emails. In one phishing campaign, LazyScript used a legitimate Canadian immigration website to lure its victims in.
LazyScripter Relies on Open-Source Toolsets
According to Jazi, Malwarebytes’ study of LazyScripter has revealed that it is not as sophisticated as other threat groups. Unlike more sophisticated APT groups like Lazarus and Palmerworm, LazyScripter does not develop its own custom malware. Instead, it relies on already available software. “What was interesting about this actor is how much it is really relying on open source and commercially available toolsets to operate,” Jazi, stated. Malwarebytes researchers also found that LazyScripter has changed its main toolset over the years. Up until 2020 the group used the commercially available Powershell Empire to break into its victims’ systems. This was installed using the loader Malwarebytes calls Empoder. However, recently LazyScripter switched to the double RAT toolset comprising of Octopus and Koadic. This toolset is being installed with a new loader Malwarebytes has called Koctopus.