Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.