LazyScripter hackers target airlines with remote access trojans


Level 72
Content Creator
Malware Hunter
Aug 17, 2014
Security researchers analyzing multiple sets of malicious emails believe they uncovered activity belonging to a previously unidentified actor that fits the description of an advanced persistent threat (APT).

The actor received the name LazyScripter and has been active since 2018, using phishing to target individuals seeking immigration to Canada for a job, airlines, and the International Air Transport Association (IATA).

The infrastructure supporting this long-term campaign is still active and the actor continues to evolve by updating its toolsets.

LazyScripter’s latest activity involves the use of the freely available Octopus and Koadic malware. Both were delivered through malicious documents and ZIP archives that contained embedded objects (VBScript or batch files) and not macro code commonly seen in phishing attacks.

The researchers from Malwarebytes also found other examples where the attacker dropped other remote access trojans (RATs) that are common to multiple hacking groups: LuminosityLink, RMS, Quasar, njRat, and Remcos. [...]