QuiteRAT Linked to North Korean APT Lazarus

An infamous hacking group affiliated with the North Korean government is employing a fresh variant of malicious software to target healthcare organizations and critical internet infrastructure in Europe and the US.

Security experts from Cisco Talos have released two reports detailing a series of incidents associated with the longstanding Lazarus hacking group. This group gained notoriety for its alleged involvement in stealing approximately $1.7 billion in cryptocurrency during 2022.

According to the researchers, this marks the third documented campaign linked to this group in under a year. The hackers have been reusing the same infrastructure across these operations. The attacks involved exploiting a vulnerability in ManageEngine ServiceDesk, although the specific targets have not been disclosed.

ManageEngine's suite is widely used by numerous organizations, including a significant portion of Fortune 100 companies, for managing IT systems. The vulnerability (CVE-2022-47966) was publicly acknowledged by the company earlier, and security firms warned about its exploitation by hackers.

In February, the attackers began taking advantage of this vulnerability to deploy a more intricate type of malware, labeled as QuiteRAT by the researchers at Cisco Talos. While sharing several characteristics with other Lazarus malware strains, QuiteRAT is deliberately designed to be harder for defenders to analyze and detect. The hackers also employed open-source tools and frameworks during the initial stages of their attacks.

The malware empowers the hackers to collect information from compromised devices and includes a feature allowing it to lie dormant for specified periods, ensuring its covert presence on the compromised network.

QuiteRAT Succeeds MagicRAT

Unlike its predecessor MagicRAT, QuiteRAT is smaller, weighing only 4 to 5 megabytes. It lacks the capability to ensure persistence on a victim's network, necessitating the hackers to introduce a separate persistence capability later on.

The researchers discovered similarities between QuiteRAT and MagicRAT, indicating that the former is a derivative of the latter. Both share abilities such as executing arbitrary commands on the compromised system.

In addition to QuiteRAT, the researchers uncovered another Lazarus Group threat named 'CollectionRAT.' This new threat possesses standard remote access trojan (RAT) features, including the capacity to execute arbitrary commands on compromised systems. CollectionRAT was linked to a Lazarus Group unit called Andariel.

The hackers behind Lazarus Group are shifting their tactics, increasingly relying on open-source tools as they evolve their methods. Despite being detected by numerous security firms and governments worldwide, the group continues to reuse much of the same infrastructure, techniques, and procedures, displaying a brazen approach.

Cisco Talos noted that this constitutes the third Lazarus campaign monitored in the past year, including attacks against energy providers in the US, Canada, and Japan in the previous September.

The utilization of open-source tools is concerning to several cybersecurity experts, as it complicates attribution and accelerates the exploitation process. Callie Guenther, a senior manager of cyberthreat research at Critical Start, mentioned that using open-source tools enables hackers to attract less attention and avoid the need to develop capabilities from scratch.