October 3, 2023

Researchers have discovered that the Lazarus APT group has initiated a fresh initiative aimed at internet backbone infrastructure and healthcare organizations situated in Europe and the U.S.

Threat actors started their attack by taking advantage of a vulnerability within ManageEngine ServiceDesk tracked as CVE-2022-47966.

The exploit was exploited to establish initial access, prompting the download and execution of a malicious binary through the Java runtime process, thereby initiating the implant on the compromised server. 

Advertisements

This binary represents a modified version of the group’s MagicRAT malware, dubbed QuiteRAT. They also used a malware named CollectionRAT that functions as a RAT capable of executing arbitrary commands on a compromised system. 

Researchers could establish a connection between CollectionRAT and Jupiter RAT, a malicious software previously associated with the Andariel APT faction, which operates under the umbrella of the Lazarus Group.

QuiteRAT is constructed using the Qt framework, an open-source, cross-platform framework designed for crafting applications. It boasts functionalities such as arbitrary command execution.

The Lazarus Group’s incorporated only essential Qt libraries into QuiteRAT, as opposed to MagicRAT, where the entire Qt framework was integrated.

Although MagicRAT integrates mechanisms for persistence by enabling the configuration of scheduled tasks, QuiteRAT lacks inherent persistence functionality and relies on the C2 server to provide it with persistence instructions.

Advertisements

This marks the third officially documented campaign attributed to the Lazarus Group in the early months of 2023, and interestingly, this actor has consistently repurposed the same infrastructure across these operations.

This research was documented by researchers from Cisco Talos

Indicators of Compromise

  • ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
  • db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
  • 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
  • 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
  • e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
  • 146.4.21.94
  • 109.248.150.13
  • 108.61.186.55:443
Tags:

Leave a Reply

You may have missed

Industrial Control Systems and Vulnerability Management Process

October 2, 2023

McLaren Healthcare suffers a Ransomware Incident

October 2, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – September, 2023

October 2, 2023

TheCyberThrone Security Week In Review – September 30, 2023

October 1, 2023

Mozilla fixes CVE-2023-5217 Vulnerability in its Products

September 30, 2023

CISA KEV Update Part III – September 2023

September 30, 2023
%d bloggers like this: