Cybersecurity researchers from Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor named Lazy Koala. Despite their lack of sophistication, this group has managed to be highly effective in their attacks.
The attackers primarily target enterprises in Russia and six Commonwealth of Independent States countries – Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims are typically employed in government agencies, financial organizations, and educational institutions, with a focus on obtaining login credentials for various services.
Exfiltration via Telegram
According to the research findings, Lazy Koala has compromised nearly 900 accounts thus far. While the exact purpose of the stolen information remains uncertain, it is suspected that the group may either be selling it on the dark web or utilizing it for more sophisticated and damaging cyberattacks.
Their attack methods involve creating convincing phishing schemes, often in local languages, to deceive targets into downloading and executing malicious attachments. These attachments contain a “primitive password stealer malware” that extracts files from compromised systems.
The malware is designed to utilize Telegram bots for exfiltrating the stolen data. The individual behind these bots is known as Koala, hence the name of the group employed by PT ESC.
Denis Kuvshinov, Head of Threat Analysis at PT ESC, highlighted Lazy Koala’s distinctive approach, stating, “The calling card of the new group is this: ‘harder doesn’t mean better.’ Lazy Koala doesn’t bother with complex tools, tactics, and techniques, but they still get the job done.”
Kuvshinov further emphasized that once the malware is established on a compromised device, the stolen data is sent out using Telegram, a popular tool among cyber attackers. PT ESC has alerted the affected parties, noting that the stolen information from this campaign is likely to be traded on the dark web.
