Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Sodinokibi Ransomware aka Sodin – Active IOCs
August 25, 2023
Rewterz Threat Alert – Young Hackers from Lapsus$ Gang Convicted in High-Profile Cyberattack Cases
August 25, 2023
Severity
High
Analysis Summary
The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, a flaw that has since been patched. This exploitation is part of their strategy to distribute a remote access trojan (RAT) called QuiteRAT.
The targets of these attacks have included internet backbone infrastructure and healthcare entities across Europe and the United States. This information comes from an analysis of a cybersecurity company, in a two-part report.
What is particularly noteworthy is that the Lazarus Group has persistently employed the same tactics and techniques over the years, despite these methods being well-documented and widely known within the cybersecurity community. This level of consistency highlights the group’s confidence in their operational approach.
The malware QuiteRAT is positioned as a successor to MagicRAT, which itself follows in the footsteps of TigerRAT. Additionally, during investigations into the adversary’s attack infrastructure reuse, a new threat named CollectionRAT was uncovered.
While QuiteRAT shares many capabilities with MagicRAT, it stands out due to its considerably smaller file size. Both of these implants are constructed using the Qt framework and exhibit features like arbitrary command execution.
The decision to use the Qt framework seems strategic, as it introduces complexity into the malware’s code, making analysis more challenging for security researchers.
In early 2023, the Lazarus Group exploited CVE-2022-47966, merely five days after a proof-of-concept for the vulnerability was made available online. This exploit was used to directly deploy the QuiteRAT binary from a malicious URL.
The researchers have observed that QuiteRAT is a clear evolutionary step from MagicRAT. While MagicRAT is more considerable, averaging around 18 MB, QuiteRAT is significantly smaller, at approximately 4 to 5 MB. Furthermore, QuiteRAT lacks a built-in persistence mechanism, requiring a command from the server to ensure its continued operation on a compromised host.
The Lazarus Group increasingly relies on open-source tools and frameworks, particularly in the initial access phase of their attacks, rather than exclusively in the post-compromise phase. The GoLang-based open-source DeimosC2 framework has been used to achieve persistent access, while CollectionRAT is mainly employed for metadata gathering, running arbitrary commands, managing files, and delivering additional payloads.
While the propagation method of CollectionRAT remains unclear, evidence suggests that a trojanized version of the PuTTY Link (Plink) utility is used to establish a remote tunnel to the system and serve the malware.
Previously, Lazarus Group relied on custom-built implants like MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access to compromised systems. These implants would then deploy various open-source or dual-use tools to execute malicious activities within the compromised network.
The discovery of CollectionRAT indicates that the Lazarus Group is continually adapting its tactics and expanding its toolkit. This includes weaponizing newly disclosed vulnerabilities in software to achieve their objectives more effectively.
Impact
- Financial Loss
- Reputation Damage
- Data Theft
Indicators of Compromise
IP
- 146.4.21.94
- 109.248.150.13
- 108.61.186.55
MD5
- c027d641c4c1e9d9ad048cda2af85db6
- c90d094a8fbeaa8a0083c7372bfc1897
- 853341a37ee6cd6516e03ce1341c7889
- 82491b42b9a2d34b13137e36784a67d7
- 7ba98edd7015779a2625f11f3eabe869
SHA-256
- ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
- db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
- 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
- 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
- e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
SHA-1
- f141f9dfc7e082521c9d26980bfc8bf100bb2f61
- 97e9c7091a7275655d0e44559a3df6d5a0cf21d9
- 6ff55c00a1c09ccd6af7727d526e21ca969e0af0
- 1df16f8bb6068e5f65f0a9a3613cc31fe5321a8d
- 10408e6cf829699f0eb4c5199575261db14fee66
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Promptly apply security patches and updates to address known vulnerabilities.
- Educate employees about phishing attacks and social engineering tactics.
- Segment networks to limit lateral movement and access to critical systems.
- Implement multi-factor authentication (MFA) for enhanced authentication security.
- Deploy endpoint security solutions to detect and block malicious activities.
- Use intrusion detection and prevention systems (IDS/IPS) to monitor network traffic.
- Employ behavioral analytics to identify unusual patterns of behavior.
- Use advanced email filtering and anti-phishing solutions.
- Maintain regular backups of critical data and systems.
- Develop an incident response plan and conduct regular testing.