iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A hacking collective with links to the government of North Korea has been observed attacking internet backbone infrastructure and healthcare organisations in both the US and Europe.
The Lazarus Group appears to be behind the attacks and researchers have also seen the group deploying new malware, which researchers at Cisco’s Talos security team have dubbed QuiteRAT.
The hackers are taking advantage of a known flaw in ManageEngine ServiceDesk to gain initial access to systems. Once inside a network, Lazarus operators have been seen using the Java runtime process to download and then execute a binary, which in turn leads to the deployment of the QuiteRAT malware.
With the malware in place, the hackers can then recon the network and gain persistence by tweaking a machine’s registry. The hackers are then free to run commands or deploy additional malicious payloads.
What makes QuiteRAT unique is its file size and the code it is written in. It’s significantly smaller – around 5 megabytes compared to 18 megabytes – than the Lazarus Group’s previous go-to malware, MagicRAT, and is written in the Qt programming framework. Together, this makes QuiteRAT difficult to detect by both human and machine-based detection systems.
QuiteRAT itself is relatively simple. It can run arbitrary commands on an infected machine, as well as record basic details such as Mac and IP addresses and device names. The malware can effectively be put to sleep and can remain dormant for extended periods before being activated again by its command and control infrastructure.
Cisco’s people believe QuiteRAT is an evolution of MagicRAT, the latest version of which was compiled in April 2022. QuiteRAT was first observed in May 2023, seemingly taking over from the previous malware.
“There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT,” the Talos team said in a blog post.
“Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically.
“Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.”
The Lazarus Group has been in action since at least 2009 and is known to engage in espionage operations, as well as fundraising activities via cryptocurrency theft.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
