This is the prolific threat actor’s third major campaign this year alone.
Image Source: Shutterstock
Cisco Talos researchers have uncovered new activity from the notorious North Korean state-sponsored hacking group Lazarus Group targeting Internet backbone infrastructure and healthcare entities across Europe and the United States. This marks the third major Lazarus Group campaign in less than a year abusing reused network infrastructure.
The recent attacks exploited a known vulnerability in ManageEngine ServiceDesk software (CVE-2022-47966) to gain access and deploy malware. Specifically, threat actors weaponized the exploit just five days after proof-of-concept code was made public in order to distribute QuiteRAT – a newly discovered remote access trojan linked to Lazarus Group.
While QuiteRAT shares similar capabilities to MagicRAT, another Lazarus malware strain, Cisco Talos notes it has a much smaller file size. Both are built using the cross-platform Qt framework. Leveraging Qt allows Lazarus Group to create complex, stealthy malware that can evade traditional detection techniques.
“It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc,” Talos researchers Asheer Malhotra, Vitor Ventura and Jungsoo An said in a report Aug. 24, 2023. “Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.”
A Mini, But More Evolved MagicRAT
Cisco Talos researchers discovered the new campaign when investigating a compromise at a European Internet backbone service provider. The Talos researchers described QuiteRAT as a relatively simple remote access trojan (RAT) made up of compact statically linked Qt libraries along with additional attacker-authored code. While the cross-platform Qt framework is popular for developing apps with graphical user interfaces, QuiteRAT does not actually contain a GUI like typical Qt programs.
QuiteRAT is a more evolved and much smaller implementation of MagicRAT. The malware averages around 4 to 5MB in size compared to MagicRAT’s much bulkier 18MB. The reason for the substantial difference in size is because of Lazarus Group’s decision to incorporate only strictly necessary Qt libraries into QuiteRAT. The new malware also doesn’t have the in-built persistence mechanisms available with MagicRAT and instead relies on the C2 server for it.
IOCs for the malware are available here and on Talos’ GitHub repository.