October 10, 2021 — Eric Swotinsky

LazyScripter gang uses spam to distribute loaders, deploy RATs

Cyber Protect Cloud

At the VB2021 localhost cybersecurity conference, Hossein Jazi presented an analysis of a new threat actor dubbed LazyScripter. The cybercrime group has been using spam campaigns to distribute KOCTOPUS, a variant of their loader that deploys the Koadic and OCTOPUS remote access trojans (RATs).

LazyScripter has been primarily targeting airlines and job seekers, using phishing lures that claim to offer air transport security alerts, updates from travel organizations, and other information that could be seen as valuable to these two groups.

The loader updates registry keys to attain persistence on infected systems. It then installs additional RATs and backdoors, opening the victim machine up to the internet over specific ports. Such attacks could lead to stolen data, the installation of further malware payloads, and other malicious activity.

The advanced behavioral detection engine in Acronis Cyber Protect detects and blocks the trojans used by LazyScripter, as well as other potential malware payloads — preventing attacks like these before they start.