Rewterz Threat Alert – Lazarus Group Deploys Stealthy QuiteRAT Malware via Zoho ManageEngine Flaw – Active IOCs

Severity

High

Analysis Summary

The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk Plus, a flaw that has since been patched. This exploitation is part of their strategy to distribute a remote access trojan (RAT) called QuiteRAT.

The targets of these attacks have included internet backbone infrastructure and healthcare entities across Europe and the United States. This information comes from an analysis of a cybersecurity company, in a two-part report.

What is particularly noteworthy is that the Lazarus Group has persistently employed the same tactics and techniques over the years, despite these methods being well-documented and widely known within the cybersecurity community. This level of consistency highlights the group’s confidence in their operational approach.

The malware QuiteRAT is positioned as a successor to MagicRAT, which itself follows in the footsteps of TigerRAT. Additionally, during investigations into the adversary’s attack infrastructure reuse, a new threat named CollectionRAT was uncovered.

While QuiteRAT shares many capabilities with MagicRAT, it stands out due to its considerably smaller file size. Both of these implants are constructed using the Qt framework and exhibit features like arbitrary command execution.

The decision to use the Qt framework seems strategic, as it introduces complexity into the malware’s code, making analysis more challenging for security researchers.

In early 2023, the Lazarus Group exploited CVE-2022-47966, merely five days after a proof-of-concept for the vulnerability was made available online. This exploit was used to directly deploy the QuiteRAT binary from a malicious URL.

The researchers have observed that QuiteRAT is a clear evolutionary step from MagicRAT. While MagicRAT is more considerable, averaging around 18 MB, QuiteRAT is significantly smaller, at approximately 4 to 5 MB. Furthermore, QuiteRAT lacks a built-in persistence mechanism, requiring a command from the server to ensure its continued operation on a compromised host.

The Lazarus Group increasingly relies on open-source tools and frameworks, particularly in the initial access phase of their attacks, rather than exclusively in the post-compromise phase. The GoLang-based open-source DeimosC2 framework has been used to achieve persistent access, while CollectionRAT is mainly employed for metadata gathering, running arbitrary commands, managing files, and delivering additional payloads.

While the propagation method of CollectionRAT remains unclear, evidence suggests that a trojanized version of the PuTTY Link (Plink) utility is used to establish a remote tunnel to the system and serve the malware.

Previously, Lazarus Group relied on custom-built implants like MagicRAT, VSingle, Dtrack, and YamaBot to establish initial access to compromised systems. These implants would then deploy various open-source or dual-use tools to execute malicious activities within the compromised network.

The discovery of CollectionRAT indicates that the Lazarus Group is continually adapting its tactics and expanding its toolkit. This includes weaponizing newly disclosed vulnerabilities in software to achieve their objectives more effectively.

Impact

• Financial Loss
• Reputation Damage
• Data Theft

Indicators of Compromise

IP

• 146.4.21.94
• 109.248.150.13
• 108.61.186.55

MD5

• c027d641c4c1e9d9ad048cda2af85db6
• c90d094a8fbeaa8a0083c7372bfc1897
• 853341a37ee6cd6516e03ce1341c7889
• 82491b42b9a2d34b13137e36784a67d7
• 7ba98edd7015779a2625f11f3eabe869

SHA-256

• ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
• db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
• 773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
• 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
• e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

SHA-1

• f141f9dfc7e082521c9d26980bfc8bf100bb2f61
• 97e9c7091a7275655d0e44559a3df6d5a0cf21d9
• 6ff55c00a1c09ccd6af7727d526e21ca969e0af0
• 1df16f8bb6068e5f65f0a9a3613cc31fe5321a8d
• 10408e6cf829699f0eb4c5199575261db14fee66

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Promptly apply security patches and updates to address known vulnerabilities.
• Educate employees about phishing attacks and social engineering tactics.
• Segment networks to limit lateral movement and access to critical systems.
• Implement multi-factor authentication (MFA) for enhanced authentication security.
• Deploy endpoint security solutions to detect and block malicious activities.
• Use intrusion detection and prevention systems (IDS/IPS) to monitor network traffic.
• Employ behavioral analytics to identify unusual patterns of behavior.
• Use advanced email filtering and anti-phishing solutions.
• Maintain regular backups of critical data and systems.
• Develop an incident response plan and conduct regular testing.