Welcome to the VB2021 conference!

arrow left Back

LazyScripter: from Empire to double RAT

Hossein Jazi (Malwarebytes)
In February 2021 we identified a new APT group we named LazyScripter, which has been active since at least 2018. This actor has mainly used small-scale spam campaigns to distribute a variant of its loader we named KOCTOPUS, to infect its victims.

KOCTOPUS has usually been embedded in Zip or document files to weaponize the spam emails and is in one of the following formats: batch, VBScript, Reg file or executable. The batch variant of this loader has been obfuscated using a batch encryption tool.

KOCTOPUS has deployed two multi-stage open-source RATs: OCTOPUS and Koadic. As the next stage the actor usually dropped a commercially available RAT such as NjRat, LuminosityLink, Quasar, Remcos, RMS, NetWire or Adwind Rat using Koadic stager.

The primary targets of this actor are airlines and people looking for jobs. The actor has used several different lures to target airlines such as:
  • International Air Transport Association security (IATA security).

  • BSPlink update or upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA Billing and Settlement Plan).

  • IATA ONE ID (ONE ID is a fairly new concept introduced by IATA for contactless identity management that leverages biometric technology).

  • User support kits for IATA users.


Beside those primary targets, we also have observed that LazyScripter has used other lures to target other victims around the world. For example, we have observed Canadian immigration, Microsoft updates, tourism (UNWTO) and bank transfer confirmations being used as spam lures.

Like most of the APTs that have taken advantage of Covid-19 to target victims during the pandemic, this actor also has spoofed a World Health Organization (WHO) email and operated several spam campaigns pretending to provide recommendations to the victim.

The actor has some similarities with known threat actors such as APT28, OilRig and MuddyWater. As an example, like APT28 and MuddyWater it has used the Koadic open-source RAT in its campaigns, and similar to OilRig it has used batch2exe to convert batch files to executables. However, it has major differences with all of these actors and consequently we decided to track it as a new actor, LazyScripter. Since the TTPs used by LazyScripter are commonly used by Middle Eastern APT groups, we believe the origin of this actor is the Middle East.

In this talk, we present an in-depth analysis of the tactics, techniques, procedures and infrastructure employed by this actor group. Also, we talk about the attribution of this actor and its similarities with other known actors such as MuddyWater, OilRig, TransparentTribe and APT28.
Hossein Jazi
Malwarebytes

Hossein Jazi is Senior Threat Intelligence Analyst at Malwarebytes. He is an active researcher whose research interests include APT tracking, malware analysis and cyber threat intelligence. Currently his focus is on tracking APT campaigns as well as developing machine-learning based models to attribute threat actors. He has been specialising in cybersecurity and APT analysis for over 10 years.