![]() “We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT,” the Talos researchers said. While investigating the QuiteRAT attacks, the Talos researchers analyzed Lazarus’ C2 infrastructure and found additional tools, including another RAT program they dubbed CollectionRAT. A second new remote access trojan: CollectionRAT While QuiteRAT doesn’t have a built-in persistence mechanism, a command to set up a registry entry to start the malware after reboot can be sent by the C2 server. One of the implemented commands is meant to put the malware program to sleep and stop communicating to the C2 server for a specified time, probably an attempt by attackers to remain undetected inside victim networks. It then connects to a hard-coded command-and-control server and waits for commands to be issued. ![]() Once deployed on a system, QuiteRAT gathers basic information such as MAC addresses, IP addresses, and the current user name of the device. Its operations span back many years, but it also shares some of the toolset and infrastructure with other North Korean APT groups. Lazarus (APT38) is one of the North Korean government’s state-run hacking teams that is tasked with cyberespionage and sabotage. The researchers dubbed the new program QuiteRAT and saw it deployed in attacks that exploited a critical remote code execution vulnerability in ManageEngine ServiceDesk tracked as CVE-2022-47966. In a campaign from earlier this year, the Talos researchers observed the group deploy a new RAT that appears to be a much more streamlined variant of MagicRAT. ![]() This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called ‘MagicRAT,’ along with known malware families VSingle, YamaBot, and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.” An evolution of MagicRAT “In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada, and Japan. “Lazarus Group remains highly active, with this being their third documented campaign in less than a year,” researchers from Cisco Talos said in a new report. One of the operations targeted internet backbone infrastructure and healthcare organizations from Europe and the United States. One of North Korea’s most prominent cyberespionage groups has been using two new remote access trojans (RATs) in attack campaigns this year, researchers warn. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |