North Korea’s Lazarus Group, a notorious cybercrime organization, has been observed changing its tactics by increasingly relying on open-source tools and frameworks in the initial stages of their attacks, according to researchers at Cisco Talos. Previously, the group primarily used these tools in the post-compromise phase of their operations. This change in strategy has raised concerns among cybersecurity experts.
Furthermore, Cisco Talos has discovered that the Lazarus Group has added a new remote access Trojan (RAT) called “CollectionRAT” to its arsenal. CollectionRAT is a powerful malware that allows the attackers to remotely access and control infected endpoints. It includes various RAT capabilities, such as running arbitrary commands and managing files on compromised devices.
The implant used by CollectionRAT is a packed Microsoft Foundation Class (MFC) library-based Windows binary. This binary decrypts and executes the actual malware code on the fly. Despite its complexity, malware developers often use MFC due to its ability to seamlessly integrate different components of the malware and abstract the inner workings of the Windows operating system from the authors.
While ransomware attacks often dominate the headlines, RATs like CollectionRAT are still a significant threat in the cybercrime landscape. Erich Kron, Security Awareness Advocate at KnowBe4, emphasized the importance of addressing this issue. He stated, “Whether they’re being deployed for use by their own groups, as in the case of Lazarus, or being deployed and that access sold by initial access brokers, the resulting intrusion can still cause significant harm to organizations.”
RATs typically infiltrate systems through various means, including exploiting unpatched software and through email phishing attacks. To mitigate the risk, organizations should prioritize regular software updates and educate their users on how to recognize and report phishing attempts. Kron further emphasized the need for organizations to take the threat of RATs seriously, stating, “While not as attention-grabbing as a ransomware infection, a lot of damage can still be done through one of these infections.”
The evolving tactics and use of new attack tools by the Lazarus Group highlights the constant need for organizations to enhance their cybersecurity measures. It also underscores the importance of staying informed about emerging threats and implementing proactive strategies to detect and prevent cyberattacks. As technology continues to advance, cybercriminals will undoubtedly find new ways to exploit vulnerabilities, making it crucial for defenders to remain vigilant.