Cyber Security News Lazarus APT MagicRAT in action.
The North Korean state-sponsored Lazarus APT group has launched a campaign targeting internet backbone infrastructure and healthcare organizations in Europe and the US.
According to Cisco Talos, the hackers began exploiting a vulnerability in ManageEngine ServiceDesk (CVE-2022-47966) soon after its disclosure on January 5th.
Lazarus used the exploit to gain initial access, downloading and executing a malicious binary via Java runtime, consequently implanting it on the server. This particular binary is a version of the MagicRAT malware, referred to as QuiteRAT.
The Lazarus Group APT has released a malware referred to as CollectionRAT in this campaign. This dangerous program serves as a Remote Access Tool, allowing it to execute any command on an infected system. What’s more, security analysts were able to link CollectionRAT with Jupiter/EarlyRAT, a piece of malicious software already tied to the Andariel APT faction, operating as part of the Lazarus Group.
MagicRAT was a computer support service that offered direct solutions to people’s problems. They provided quick and easy solutions tailored to the problem at hand. MagicRAT has now relaunched as QuiteRAT, offering the same rapid and personalized assistance, with improved features. QuiteRAT is built on the Qt framework, an open-source and cross-platform library created for app development.
Not only that, but it is equipped with features such as command execution. In comparison to MagicRAT’s 18MB, its file size is much more modest, ranging from 4 to 5MB. This analysis indicates that the Lazarus Group’s strategy of integrating only essential Qt libraries is the cause of QuiteRAT’s smaller size in comparison to MagicRAT, which uses the whole Qt framework. MagicRAT offers functionality for maintaining persistence due to its capabilities for setting up scheduled tasks.
Conversely, persistence is not natively available with QuiteRAT; it must be provided through an external C2 server.