- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Lazarus Targets Internet Infrastructure and Healthcare with QuiteRAT
The North Korean state-sponsored actor Lazarus Group recently started a new campaign targeting internet backbone infrastructure and healthcare entities in Europe and the US, security researchers from Cisco Talos have found.
The researchers said that the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) in January 2023, only five days after it was disclosed.
This vulnerability is highly critical, with a CVSS score of 9.8/10 and a Kenna risk score of 100/100.
The threat actors used the exploit to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process, activating the implant on the infected server. This binary is a variant of their MagicRAT malware that Cisco Talos named QuiteRAT.
First discovered in February by WithSecure, QuiteRAT has stayed under the radar until now. Like MagicRAT, QuiteRAT is built from the Qt framework, a free, open source, and cross-platform framework designed for building applications, and includes capabilities such as arbitrary command execution.
Its file size, however, is much smaller at 4 to 5MB compared with 18MB.
“This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework,” reads the analysis, published on August 24, 2023.
Once the implant starts running, it sends out preliminary system information to its command and control (C&C) servers. Then, it waits for the C&C to respond with a command code or an actual Windows command to execute on the endpoint via a child cmd.exe process.
“While MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C&C server to achieve continued operation on the infected endpoint,” the researchers added.
This is the third documented campaign attributed to the Lazarus Group since the beginning of 2023, with the actor reusing the same infrastructure throughout these operations.
Read more: Lazarus Group’s DeathNote Campaign Reveals Shift in Targets
The exploited vulnerability, affecting multiple products of Zoho-owned ManageEngine, is now awaiting reanalysis.
The same day Cisco Talos’ analysis was published, the FBI warned cryptocurrency firms about a surge in blockchain activity linked to the theft of hundreds of millions in digital currency attributed to the Lazarus Group.