LazyScripter: from Empire to double RAT
Looking for performance validation for your product?
https://www.virusbulletin.com/testing/Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification
programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service
offering valuable performance feedback for R&D. Email [email protected].
QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity
https://ti.qianxin.com/marketing/vb2021/QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products
and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and
Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.
Amazon Information Security - come build the future with us!
https://www.amazon.jobs/en-gb/team/infosecDo you want to work on privacy and security challenges at unprecedented scale?
We have Privacy and Information Security opportunities available now across
the United States, Dublin, Ireland, and Sydney, Australia.
Do you like doing work that matters to you… and really frustrates the bad guys?
https://talosintelligence.com/careersAt Talos, our mission is to make the internet a safer place and fight the good fight for our customers
and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,
we’d like to talk.
VirusTotal: Actionable crowdsourced threat intelligence
https://www.virustotal.com/Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.
Ransomware prevention starts with zero
https://www.zscaler.com/solutions/security-transformation/ransomware-protectionRansomware attacks are increasing 500% year-over-year.
Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk
at every stage of a ransomware attack.
We don’t just talk about sharing. We do it every day.
https://www.cyberthreatalliance.org/about-ctaLearn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.
We are a greater team when we work together; our collective efforts magnifies our success and
ensures that we are and remain cyber resilient.
Stay ahead of threats with VirusTotal
https://www.virustotal.com/Stay ahead of the next generation of threats and get relevant insights to solve
the most critical security challenges.
Calling all Hackers!
https://www.ise.io/careers/#op-470256-hacker-midseniorprincipalWe are hiring mid-senior-principal level hackers!
Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication
Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions
https://www.farsightsecurity.com/get-started-guide/DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated
web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.
IoT security begins with your Smart TV
https://chomar.link/smarttvCHOMAR Smart TV Security.
Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.
Threat Intelligence and Cyber Resilience
https://vblocalhost.com/programme/#TIPSJoin the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,
and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective
when addressing today's dynamic threat landscape.
F5 helps find malware hiding in plain sight
https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encryptedEncrypted malware is becoming increasingly common, and daisy-chaining security devices is neither
cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with
F5’s innovative products.
Downloads
KOCTOPUS has usually been embedded in Zip or document files to weaponize the spam emails and is in one of the following formats: batch, VBScript, Reg file or executable. The batch variant of this loader has been obfuscated using a batch encryption tool.
KOCTOPUS has deployed two multi-stage open-source RATs: OCTOPUS and Koadic. As the next stage the actor usually dropped a commercially available RAT such as NjRat, LuminosityLink, Quasar, Remcos, RMS, NetWire or Adwind Rat using Koadic stager.
The primary targets of this actor are airlines and people looking for jobs. The actor has used several different lures to target airlines such as:
- International Air Transport Association security (IATA security).
- BSPlink update or upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA Billing and Settlement Plan).
- IATA ONE ID (ONE ID is a fairly new concept introduced by IATA for contactless identity management that leverages biometric technology).
- User support kits for IATA users.
Beside those primary targets, we also have observed that LazyScripter has used other lures to target other victims around the world. For example, we have observed Canadian immigration, Microsoft updates, tourism (UNWTO) and bank transfer confirmations being used as spam lures.
Like most of the APTs that have taken advantage of Covid-19 to target victims during the pandemic, this actor also has spoofed a World Health Organization (WHO) email and operated several spam campaigns pretending to provide recommendations to the victim.
The actor has some similarities with known threat actors such as APT28, OilRig and MuddyWater. As an example, like APT28 and MuddyWater it has used the Koadic open-source RAT in its campaigns, and similar to OilRig it has used batch2exe to convert batch files to executables. However, it has major differences with all of these actors and consequently we decided to track it as a new actor, LazyScripter. Since the TTPs used by LazyScripter are commonly used by Middle Eastern APT groups, we believe the origin of this actor is the Middle East.
In this talk, we present an in-depth analysis of the tactics, techniques, procedures and infrastructure employed by this actor group. Also, we talk about the attribution of this actor and its similarities with other known actors such as MuddyWater, OilRig, TransparentTribe and APT28.
Got a question about this presentation? To get in touch with the speaker, contact Hossein on Twitter at @h2jazi.
Hossein Jazi
MalwarebytesHossein Jazi is Senior Threat Intelligence Analyst at Malwarebytes. He is an active researcher whose research interests include APT tracking, malware analysis and cyber threat intelligence. Currently his focus is on tracking APT campaigns as well as developing machine-learning based models to attribute threat actors. He has been specialising in cybersecurity and APT analysis for over 10 years.