A recently identified threat actor that remained unnoticed for roughly two years appears focused on the targeting of airlines that are using the BSPLink financial settlement software made by the International Air Transport Association (IATA), cybersecurity firm Malwarebytes reported on Wednesday.
Initially identified in December 2020, the threat actor is targeting IATA and airlines, with the most recent attacks employing a phishing lure mimicking the newly introduced IATA ONE ID (Contactless Passenger Processing tool).
Dated 2018, one of the earliest attacks attributed to the adversary, which Malwarebytes refers to as LazyScripter, was aimed at individuals looking to immigrate to Canada. Over time, the group evolved its toolset from PowerShell Empire to the Koadic and Octopus RATs, and used LuminosityLink, RMS, Quasar, njRat and Remcos RATs in between.
The phishing emails used in these attacks used the same loader to drop both Koadic and Octopus. Referred to as KOCTOPUS, it was preceded by Empoder, a loader for PowerShell Empire.
IATA- or job-related themes were typically used as lures, but additional lures were also observed: IATA security, IATA ONE ID, user support kits for IATA users, BSPlink Updater or Upgrade, Tourism (UNWTO), COVID-19, Canada skill worker program, Canada Visa, and Microsoft Updates.
The phishing emails carry either archive or document files containing a variant of a loader. The malicious tools were mainly hosted using two GitHub accounts, both deleted on January 12 and 14, 2021, respectively, with a new account being created on February 2.
The latest campaign launched by the threat actor was spotted on February 5, with a variant of KOCTOPUS being delivered, masquerading as BSPLink Upgrade.exe. In addition to Octopus and Koadic, the loader also delivered a variant of Quasar RAT.
Support the originator by clicking the read the rest link below.
