Positive Technologies Expert Security Center (PT ESC) discovered a new cybergroup called Lazy Koala. Experts confirm that the criminals use simple but effective attack techniques. Victims of the group include organizations from Russia and six CIS countries, with approximately 867 employee accounts compromised to date.
As part of the threat research, PT ESC specialists discovered a series of attacks aimed at organizations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Government and financial organizations, as well as medical and educational institutions, were the main targets. Positive Technologies specialists notified affected organizations that they were compromised.
Research shows that the attackers' main goal was to steal accounts to various services from government organization employee computers. The next step was likely use this information in further attacks on the internal structures of the organizations. Stolen data can also be sold on the dark web cyber services market.
Behind the attacks is a previously unknown group that experts have dubbed Lazy Koala because of its basic techniques and the username. Koala of the person managing the Telegram bots with stolen data. Researchers were unable to establish connections with already known groups using the same techniques.
"The calling card of the new group is this: 'harder doesn't mean better.' Lazy Koala doesn't bother with complex tools, tactics, and techniques, but they still get the job done. Their main weapin is a primative password stealer malware that we assume is distributed using basic phishing. The scammers convince victims to open an attachment and launch the file in the browser. For each country, the attachment is even in the local language. After establishing itself on the infected device, the malware exfiltrates the stolen data using Telegram, a favorite tool among attackers," shares Denis Kuvshinov, Head of Threat Analysis, Positive Technologies Expert Security Center. "We notified the victims and believe that the fate of the stolen data is resale and use in subsequent attacks on the internal structures of organizations."
Phishing remains one of the main ways for attackers to penetrate infrastructure. Users are advised not to open suspicious messages or follow unknown links. Don't download software from suspicious sites and torrents; instead, use licensed versions from trusted sources. Employees should be kept informed of all the latest phishing techniques and scams.
These attacks can be detected using specialized security tools, while attack analysis and prevention should involve cyber incident investigation professionals.
MaxPatrol SIEM can detect the key event of data theft with the Credential_Access_to_Passwords_Storage rule, and the previous stages (phishing and data transfer) using the Run_Masquerading_Executable_File and Suspicious_Connection rules. The PT NAD network traffic behavioral analysis system helps detect calls to the Telegram API using the "tls.server_name == "api.telegram.org"" filter and set convenient notifications about them. If a new host starts accessing the Telegram API, PT NAD will send a notification to the SOC operator. PT Sandbox detects the actions of this APT group using a rule written specifically for them: a behavioral analysis verdict of Trojan-PSW.Win32.LazyStealer.n. Similar attacks can also be detected using endpoint protection systems such as MaxPatrol EDR.
