Hacking techniques don’t have to be particularly advanced to be successful. Example: lazy koala.
Cybersecurity researchers at the Positive Technologies Expert Security Center (PT ESC) recently discovered a new threat actor, which they named Lazy Koala. Nothing about this group is particularly progressive or sophisticated, but it is achieving excellent results.
According to the report, the attackers are targeting companies in Russia and six countries of the Commonwealth of Independent States: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan and Armenia. Their victims work at government agencies, financial organizations and educational institutions, and usually ask for login details for various services.
Exfiltration via Telegram
Nearly 900 accounts have been compromised so far, the researchers said. It’s unclear what the attackers do with the information, but it’s likely they sell it on the dark web or use it in further, more devastating attacks.
The attacks are simple: they involve creating convincing phishing scams, often in languages that locals speak, and tricking victims into downloading and running the attachment. The files distributed in these phishing attacks use a ‘primitive password stealer malware’.
The infostealer then grabs the files and exfiltrates them via telegram bots. The person who handles these bots is called Koala, which gives PT ESC the idea behind the name.
“The calling card of the new group is this: ‘harder does not mean better.’ Lazy Koala does not deal with complex tools, tactics and techniques, but they still get the job done,” said Denis Kuvshinov, head of threat analysis at the Positive Technologies Expert Security Center.
“After the malware settles on the infected device, it exfiltrates stolen data using Telegram, a favorite tool among attackers,” Kuvshinov said.
PT ESC said it has notified the victims, adding that the information stolen during this campaign will most likely be sold on the dark web.