The LazyScripter group takes advantage of mass spam campaigns using automatically generated emails sent from spoofed or compromised email accounts. The lures are typically fairly generic, but with a sense of urgency, like “WG: VERY IMPORTANT” or “CIRCULAR / URGENT”.

Inside these emails will be a fairly generic email template asking the user to “install this attached application” or “install this attached KIT”, or even just tells the user they have new files for downloading. Attached will be either a pdf with a link leading to an encrypted zip file (password is in the PDF), or just the encrypted zip file with the password in the email. Inside the zip will be malware leading to the KOCTOPUS stager (either in maldoc or batch file form).

Binary Defense recommends being very careful when opening any vague but urgent emails with passwords for encrypted zip files found in the email.

Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s Security Operations Task Force to better defend against threats like LazyScripter if they manage to trick an employee into opening one of the malicious payloads. Detecting unusual behavior on employee workstations and servers, with quick response from a trained security analyst is the best and last line of defense to prevent attackers from using an initial foothold to expand access and take over a domain.

Source article: https://www.bleepingcomputer.com/news/security/lazyscripter-hackers-target-airlines-with-remote-access-trojans/