Positive Technologies Expert Security Centre (PT ESC) has discovered a new cybergroup called Lazy Koala whose victims include organisations from Russia and six CIS countries, with approximately 867 employee accounts compromised to date.

 

As part of the threat research, PT ESC specialists discovered a series of attacks aimed at organisations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Government and financial organisations, as well as medical and educational institutions, were the main targets. Positive Technologies specialists notified affected organisations that they were compromised. 

 

Research shows that the attackers' main goal was to steal accounts to various services from government organisation employee computers. The next step was likely use of this information in further attacks on the internal structures of the organisations. Stolen data can also be sold on the dark web cyber services market.

 

Basic techniques

Behind the attacks is a previously unknown group that experts have dubbed Lazy Koala because of its basic techniques and the username. Koala is the person managing the Telegram bots with stolen data. Researchers were unable to establish connections with already known groups using the same techniques.

 

"The calling card of the new group is this: 'harder doesn't mean better.' Lazy Koala doesn't bother with complex tools, tactics, and techniques, but they still get the job done. Their main weapon is a primitive password stealer malware that we assume is distributed using basic phishing. The scammers convince victims to open an attachment and launch the file in the browser. For each country, the attachment is even in the local language. After establishing itself on the infected device, the malware exfiltrates the stolen data using Telegram, a favorite tool among attackers," shares Denis Kuvshinov, Head of Threat Analysis, Positive Technologies Expert Security Centre. "We notified the victims and believe that the fate of the stolen data is resale and use in subsequent attacks on the internal structures of organisations."

 

Phishing remains one of the main ways for attackers to penetrate infrastructure. Users are advised not to open suspicious messages or follow unknown links. Don't download software from suspicious sites and torrents; instead, use licensed versions from trusted sources. Employees should be kept informed of all the latest phishing techniques and scams.

 

Specialised security tools

These attacks can be detected using specialised security tools, while attack analysis and prevention should involve cyber incident investigation professionals. 

 

MaxPatrol SIEM can detect the key event of data theft with the Credential_Access_to_Passwords_Storage rule, and the previous stages (phishing and data transfer) using the Run_Masquerading_Executable_File and Suspicious_Connection rules. The PT NAD network traffic behavioural analysis system helps detect calls to the Telegram API using the "tls.server_name == "api.telegram.org"" filter and set convenient notifications about them. If a new host starts accessing the Telegram API, PT NAD will send a notification to the SOC operator. PT Sandbox detects the actions of this APT group using a rule written specifically for them: a behavioural analysis verdict of Trojan-PSW.Win32.LazyStealer.n. Similar attacks can also be detected using endpoint protection systems such as MaxPatrol EDR.--TradeArabia News Service