North Korean state-sponsored hackers known as the Lazarus Group have been caught exploiting a vulnerability in ManageEngine ServiceDesk to target internet backbone infrastructure and healthcare institutions in Europe and the US. The particular vulnerability being exploited is CVE-2022-47966, which was recently patched in mid-January 2023. The Lazarus Group utilized this vulnerability to deploy a remote access trojan (RAT) called QuiteRAT, which had been downloaded from an IP address connected to the Lazarus hacking group.
Once the QuiteRAT implant was activated, it immediately began sending preliminary system information to its command and control servers and waited for commands from them. The malware is capable of downloading and deploying additional malicious payloads. Despite its smaller size, QuiteRAT shares most of its capabilities with Lazarus Group’s previous malware, MagicRAT. Both malware strains use the Qt framework for developing cross-platform applications, making analysis and detection more difficult, as Qt is rarely used in malware development.
Researchers from Cisco Talos, who discovered the Lazarus Group’s latest tactics, noted that the use of Qt in the malware increases the complexity of the code and makes human analysis harder. Machine learning and heuristic analysis detection systems also struggle with Qt-based malware due to its uncommon usage in this context. The researchers also observed that Lazarus Group has recently shifted to using open-source tools and frameworks such as Mimikatz, PuTTY Link, Impacket, and DeimosC2 in the initial phase of their attacks, rather than just in the post-compromise phase.
In their investigation, the researchers discovered another malware strain used by the Lazarus Group called CollectionRAT, which shares operational links with QuiteRAT and other malware implants. CollectionRAT is a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. This complex framework makes human analysis more cumbersome, but the researchers found that the MFC framework is used as a wrapper/decrypter for the actual malicious code.
The Lazarus Group has gained infamy for its financially motivated cyberattacks, as well as its cyberespionage activities. These attacks are believed to be aimed at furthering North Korea’s political goals and stealing cryptocurrency to finance the nation’s various efforts. In fact, the FBI recently issued a warning to cryptocurrency companies about Lazarus Group-affiliated actors attempting to cash out $40 million worth of bitcoin stolen in international cryptocurrency heists. The FBI advises cryptocurrency companies not to facilitate any transactions involving the provided bitcoin addresses on their trading platforms.
The Lazarus Group’s ability to exploit vulnerabilities and use sophisticated malware strains like QuiteRAT and CollectionRAT highlights the ongoing threat posed by state-sponsored hackers. Organizations and businesses must remain vigilant and ensure that they have robust cybersecurity measures in place to defend against these types of attacks. Additionally, the timely patching of known vulnerabilities is essential to prevent adversaries from capitalizing on security weaknesses. By staying informed and proactive, individuals and organizations can better protect themselves against the ever-evolving threat landscape.