fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

LazyScripter Hackers Target Airlines With Remote Access Trojans

LazyScripter Hackers Target Airlines With Remote Access Trojans

Security researchers analyzing multiple sets of malicious emails believe they uncovered activity belonging to a previously unidentified actor that fits the description of an advanced persistent threat (APT).

The actor received the name LazyScripter and has been active since 2018, using phishing to target individuals seeking immigration to Canada for a job, airlines, and the International Air Transport Association (IATA).

The infrastructure supporting this long-term campaign is still active and the actor continues to evolve by updating its toolsets.

Using open-source projects

LazyScripter’s latest activity involves the use of the freely available Octopus and Koadic malware. Both were delivered through malicious documents and ZIP archives that contained embedded objects (VBScript or batch files) and not macro code commonly seen in phishing attacks.

Also Read: The 3 Main Benefits Of PDPA For Your Business

The researchers from Malwarebytes also found other examples where the attacker dropped other remote access trojans (RATs) that are common to multiple hacking groups: LuminosityLink, RMS, Quasar, njRat, and Remcos.

According to the researchers, LazyScripter switched to the double-RAT tactic after initially using the PowerShell Empire post-exploitation framework. The researchers named the loaders for these payloads KOCTOPUS and Empoder, respectively.

Typically, the malicious documents come with one or two embedded objects with icons pretending to be PDF, Microsoft Word/Excel files; they are, in fact, batch, executable, or VBScript variants of the KOCTOPUS and Empoder loaders.

Used to deploy Octopus and Koadic and ensure their persistence on the system, KOCTOPUS is highly obfuscated using the BatchEncryption tool.

The overall compromise process via KOCTOPUS involves bypassing the User Account Control (UAC) security feature in Windows, disabling Microsoft security products, and downloading RMS or LuminosityLink RAT.

Hosting toolsets on GitHub

Interestingly, LazyScripter hosted their toolsets on GitHub, a tactic used in the past by an APT group associated with Iran.

Malwarebytes found three accounts linked to LazyScripter. Two of them – LIZySARA and Axella49 – have been deleted in January but a third one (OB2021) emerged at the beginning of the month, on February 2, and is still active.

Some of the email lures appear to be specifically designed for airlines that use the BSPLink software, IATA’s solution for its Billing and Settlement Plan (BSP), which allows companies to:

  • Manage collection and payments worldwide in a single process
  • Automate recovery of revenue reconciliation data through a single file transfer
  • Automate management of ADM/ACMs or refunds
  • Manage sales incentives with the complementary service Global Net Remit 5 through the same settlement process

Variety of lures

The lure changed recently, “to mimic a new feature recently introduced by IATA called IATA ONE ID (Contactless Passenger Processing tool),” Malwarebytes says in a detailed technical report today.

The company adds that this is an indication that the threat actor is adapting its toolset to target new systems developed by IATA. LazyScripter’s wider collection of lures includes the following:

IATA security (International Air Transport Association security)

• BSPlink Updater or Upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA BSP)

• IATA ONE ID

• User support kits for IATA users

• Tourism (UNWTO)

• COVID-19

• Microsoft Updates

• Job information

• Canada skill worker program

• Canada Visa (CanadaVisa.com is the online presence of the Campbell Cohen Immigration Law Firm)

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

A timeline of LazyScripter’s phishing activity based on the various lures they used is available below:

For command and control (C2) communications, LazyScripter leverages five subdomains on four different shared domains hosted by free dynamic DNS providers Duck DNS and FreeDNS:

  1. kasperskylab.ignorelist.com
  2. hpsj.firewall-gateway.net
  3. googlechromeupdater.twilightparadox.com
  4. iatassl-telechargementsecurity.duckdns.org
  5. stub.ignorelist.com

Insufficient evidence for attribution

By using open-source post-exploitation tools and malware that is widely used in hacking activities by multiple actors, LazyScripter leaves few clues regarding attribution.

However, Malwarebytes notes that public research shows only two threat actors that have used the Koadic penetration testing tool in their campaigns: the Iranian-linked MuddyWater and the Russian APT28 (Fancy Bear/Sofacy/Strontium/Sednit).

The company says that they did not find a connection with APT28 but noticed similarities with MuddyWater in that their past campaigns used both Koadic and PowerShell Empire, and relied on GitHub to host their malicious toolset.

There are some aspects, though, that do not permit high-confidence attribution and prompted Malwarebytes to label LazyScripter as a new APT group:

  • MuddyWater’s campaigns are targeted while LazyScripter’s relies on spam to reach victims
  • none of the malware used in the LazyScripter campaigns have been associated with MuddyWater in the past
  • the use of embedded documents is not specific to MuddyWater, which typically uses the malicious macros
  • only widely-available tools have been used, while MuddyWater also employs custom tools in its operations

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us