Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New ‘LazyScripter’ Hacking Group Targets Airlines

A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA), cybersecurity firm Malwarebytes reported on Wednesday.

A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA), cybersecurity firm Malwarebytes reported on Wednesday.

Initially identified in December 2020, the threat actor is targeting IATA and airlines, with the most recent attacks employing a phishing lure mimicking the newly introduced IATA ONE ID (Contactless Passenger Processing tool).

Dated 2018, one of the earliest attacks attributed to the adversary, which Malwarebytes refers to as LazyScripter, was aimed at individuals looking to immigrate to Canada. Over time, the group evolved its toolset from PowerShell Empire to the Koadic and Octopus RATs, and used LuminosityLink, RMS, Quasar, njRat and Remcos RATs in between.

The phishing emails used in these attacks used the same loader to drop both Koadic and Octopus. Referred to as KOCTOPUS, it was preceded by Empoder, a loader for PowerShell Empire.

IATA- or job-related themes were typically used as lures, but additional lures were also observed: IATA security, IATA ONE ID, user support kits for IATA users, BSPlink Updater or Upgrade, Tourism (UNWTO), COVID-19, Canada skill worker program, Canada Visa, and Microsoft Updates.

The phishing emails carry either archive or document files containing a variant of a loader. The malicious tools were mainly hosted using two GitHub accounts, both deleted on January 12 and 14, 2021, respectively, with a new account being created on February 2.

The latest campaign launched by the threat actor was spotted on February 5, with a variant of KOCTOPUS being delivered, masquerading as BSPLink Upgrade.exe. In addition to Octopus and Koadic, the loader also delivered a variant of Quasar RAT.

Malwarebytes’ researchers have identified 14 malicious documents that the threat actor has used since 2018, all carrying embedded objects that are variants of the KOCTOPUS or Empoder loaders.

Advertisement. Scroll to continue reading.

To date, the researchers have identified four different versions of the KOCTOPUS loader, used to load Octopus, Koadic, LuminosityLink, RMS, and Quadar RATs.

The Koadic RAT is known to have been previously used by the Iran-linked Muddy Water and Russia-linked APT28 threat actors. Malwarebytes was able to identify some similarities between the activities of LazyScripter and Muddy Water, but also a series of differences that resulted in the tracking of this group separately.

Related: Elusive Lebanese Threat Actor Compromised Hundreds of Servers

Related: Chinese Threat Actor ‘Mustang Panda’ Updates Tools in Attacks on Vatican

Related: U.S. Shares Information on North Korean Threat Actor ‘Kimsuky’

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.