Threat Management

New hacker group targets airlines, refugees with well worn tools


MalwareBytes reports a newly discovered threat group targeting the International Air Transport Association (IATA) members, airlines and refugees to Canada.

The group, nicknamed LazyScripter, uses an uncommon amount of publicly available tools in its efforts.

"What was interesting about this actor is how much it is really relying on open source and commercially available toolset to operate," Hossein Jazi, senior threat intelligence analyst at MalwareBytes, told SC Media.

LazyScriptor was first discovered in December, but appears to have been active since 2018. It uses .pdf files linking to malware stored on GitHub, bespoke loader programs to open a variety of well-known commodity malware.

Between 2018 and 2019, the group installed Powershell Empire on victims using a loader MalwareBytes is calling Emploader. Recently it switched to Octopus and Koadic installed with a loader Malwarebytes is calling Kocktopus.

The group used job and IATA related lures, as well as fake updates; immigration, tourism and visa related documents; and COVID-19 information to infect victims.

"In terms of attribution. It's hard to really attribute this group to any known groups," said Jazi. "We did a comparison; while we found some similarities between this actor and actors such as MuddyWater, OilRig, and APT 28, there are big differences" as well.

The connections to OilRig and APT 28 are largely in their use of similar commodity malware, which is not a strong connection. While Muddywater is the most similar, it is historically more adept at targeting victims, and uses custom tools LazyScripter has yet to utilize. OilRig and MuddyWater are both suspected to be Iranian groups while APT 28 is believed to be Russian.

A list of indicators of compromise is available on the MalwareBytes website. But Jazi also said relevant defenders should be on the lookout for GitHub traffic.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.