The Lazarus APT, a group with connections to North Korea, has capitalized on a critical vulnerability within Zoho ManageEngine ServiceDesk Plus, known as CVE-2022-47966, to distribute the QuiteRAT malware. This APT outfit has focused its efforts on targeting an Internet backbone infrastructure provider as well as healthcare organizations, with its attacks spanning across Europe and the United States. The group’s rapid exploitation of the flaw followed the public disclosure of proof-of-concept (PoC) exploits.
Utilizing the compromised flaw, the APT launched the deployment of QuiteRAT, a newer variant of malware that was first detected by security researchers in February.
Despite the smaller file size, QuiteRAT possesses similar capabilities to the Lazarus Group’s MagicRAT malware. Both of these malicious implants are coded using the Qt framework, which complicates their analysis and detection due to the framework’s design.
In early 2023, a successful compromise of an Internet backbone infrastructure provider was observed, whereby Lazarus Group exploited a vulnerable instance of ManageEngine ServiceDesk to achieve initial access. The vulnerability allowed immediate download and execution of a malicious binary via the Java runtime process, facilitated by the use of cURL commands.
Furthermore, the Lazarus Group’s adaptation of tactics has been noted, showcasing an increasing reliance on open-source tools and frameworks during the initial access phase, a departure from their previous post-compromise focus on these resources.
Notably, researchers discovered Lazarus Group’s deployment of a new malware named “CollectionRAT,” a remote access trojan (RAT) that enables execution of arbitrary commands on compromised systems. This RAT was linked to the Jupiter/EarlyRAT malware, associated with the Andariel APT subgroup of Lazarus.
Despite public knowledge of their tactics, techniques, and procedures (TTPs), the Lazarus APT continues to operate using familiar infrastructure, emphasizing the need for ongoing vigilance and cybersecurity measures.
