North Korea’s Lazarus Group has recently deployed a new remote access Trojan (RAT) called “QuiteRAT” in attacks against healthcare organizations and an internet infrastructure company. QuiteRAT is an upgraded version of a previous RAT called “MagicRAT” and it is built on Qt, a framework for designing graphical user interfaces (GUIs). This allows QuiteRAT to evade malware detection tools by disguising itself as a harmless application.
The Lazarus Group, known for its sophisticated cyber attacks, used QuiteRAT in attacks that targeted healthcare organizations in the US and UK, as well as a UK-based internet backbone infrastructure provider. These attacks took advantage of the ManageEngine ServiceDesk, which was vulnerable due to a remote code execution (RCE) vulnerability known as CVE-2022-47966. Cisco Talos, a cybersecurity research team, discovered this new RAT and detailed its capabilities in a recent report.
What sets QuiteRAT apart is its use of the Qt framework. Although there is no graphical component to the malware, the Lazarus Group chose to utilize Qt because of its versatility and ability to evade heuristic detection mechanisms. Qt is widely used in benign applications, which reduces the chances of detection by security systems that look for specific malware files and frameworks. By incorporating Qt, the Lazarus Group increases the stealthiness of QuiteRAT and makes it more difficult to detect.
QuiteRAT is the latest in a series of RATs developed by the Lazarus Group. The group constantly develops new implants and uses them as long as they are successful. QuiteRAT, which was discovered in February, is the successor to MagicRAT. It is more compact than its predecessor, weighing only 4 to 5 megabytes compared to MagicRAT’s 18 megabytes. This reduction in size makes QuiteRAT less conspicuous on a target machine and enhances its stealth capabilities.
Despite its smaller size, QuiteRAT shares many similarities with MagicRAT. Both RATs perform reconnaissance upon entering a target machine before establishing a remote shell. They allow the attackers to manipulate files, run commands, and execute various actions. Additionally, both RATs use similar obfuscation techniques and employ sleep states to avoid detection.
The concern now is whether QuiteRAT’s innovative use of the Qt framework will inspire other threat actors. Historically, techniques and tools used by APT groups like Lazarus have made their way into the private space and are adopted by less sophisticated cybercriminals. Although there is currently no evidence of this happening, cybersecurity experts warn that other malware authors and APT groups may adopt the Qt framework in the future.
In conclusion, the Lazarus Group’s deployment of QuiteRAT demonstrates their continued evolution and adaptability in carrying out cyber attacks. By using the Qt framework, they have developed a highly evasive RAT that can bypass detection mechanisms and operate stealthily on a target machine. As the cybersecurity landscape continues to evolve, it is crucial for organizations and individuals to stay vigilant and implement robust security measures to defend against such threats.