Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe and the US.

The group leveraged the vulnerability to deploy QuiteRAT, downloaded from an IP address previously associated with the Lazarus hacking group (aka APT38).

QuiteRAT

CVE-2022-47966 has been patched in mid-January 2023, and soon after a PoC exploit for it was publicly released and exploitation attempts started in earnest.

The malware Cisco Talos researchers dubbed QuiteRAT is a simple remote access trojan (RAT) that’s similar to Lazarus Group’s MagicRAT malware, only smaller in size.

Both MagicRAT and QuiteRAT use the Qt framework for developing cross-platform applications and have most of the same capabilities. The difference in size can be attributed to MagicRAT incorporating the entire Qt framework while QuiteRAT uses a just small set of statically linked Qt libraries (and some user-written code). Also, QuiteRAT lacks built-in persistence capabilities and depends on the C2 server to provide them.

“The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant,” the researchers said.

“As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.”

QuiteRAT infection chain. (Source: Talos)

Once executed and activated, the QuiteRAT implant starts sending preliminary system information to its command and control (C2) servers, and awaits for commands from it. The malware is capable of downloading and deploying additional malicious payloads.

CollectionRAT: Another weapon in the group’s arsenal

Other than allowing researchers to associate these latest attacks with Lazarus, the group’s penchant for infrastructure reuse helped them identify other malware they use (namely, CollectionRAT).

Its capabilities include arbitrary command execution, managing files of the infected endpoint, gathering of system information, reverse shell creation, spawning of new processes that allow download and deployment of additional payloads, and finally, the ability to self-delete from the compromised endpoint (when directed by the C2).

Operational links between the various malware implants. (Source: Talos)

“[CollectionRAT] consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors,” the researchers explained.

“Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.”

Lazarus Group’s tactics and targets

According to Cisco Talos researchers, the Lazarus Group is slightly changing attack tactics. While it previously used open-source tools and frameworks such as Mimikatz, PuTTY Link, Impacket, and DeimosC2 just in the post-compromise phase of attacks, it now also uses them in the initial phase.

“Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers,” they added.

Lazarus Group is known for mounting financially motivated and cyberespionage cyberattacks aimed at furthering North Korea’s political goals and at stealing cryptocurrency necessary to finance the nation’s various efforts.

On Tuesday, the FBI has warned cryptocurrency companies that Lazarus Group-affiliated actors are looking to cash out $40 million dollars worth of bitcoin stolen in international cryptocurrency heists, and that they should not permit transactions with or derived from the provided bitcoin addresses to be effected via their trading platforms.