One of North Korea’s most prominent cyberespionage groups has been using two new remote access trojans (RATs) in attack campaigns this year, researchers warn. One of the operations targeted internet backbone infrastructure and healthcare organizations from Europe and the United States.
“Lazarus Group remains highly active, with this being their third documented campaign in less than a year,” researchers from Cisco Talos said in a new report. “In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada, and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called ‘MagicRAT,’ along with known malware families VSingle, YamaBot, and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.”
An evolution of MagicRAT
In a campaign from earlier this year, the Talos researchers observed the group deploy a new RAT that appears to be a much more streamlined variant of MagicRAT. The researchers dubbed the new program QuiteRAT and saw it deployed in attacks that exploited a critical remote code execution vulnerability in ManageEngine ServiceDesk tracked as CVE-2022-47966.
Lazarus (APT38) is one of the North Korean government’s state-run hacking teams that is tasked with cyberespionage and sabotage. Its operations span back many years, but it also shares some of the toolset and infrastructure with other North Korean APT groups.
According to Talos, the Lazarus attackers started exploiting CVE-2022-47966 within days of a proof-of-concept exploit becoming available in January. One of the victims was an internet backbone infrastructure provider in Europe whose server was backdoor with a new malware program that researchers hadn’t seen before — QuiteRAT.
QuiteRAT has many similarities to MagicRAT, which is a known Lazarus tool, but is much smaller and lacks a built-in persistence mechanism. Like MagicRAT, QuiteRAT was created with the Qt framework, an open-source platform for developing cross-platform applications that has gained popularity for the ease of creating graphical user interfaces (GUIs).
Neither of the two trojans have graphical user interfaces so the choice of using Qt for development might seem strange. However, because there are very few malicious programs developed with this platform, it makes detection and analysis harder. However, QuiteRAT has a much smaller size compared to MagicRAT (4MB to 5MB vs. 18MB) despite implementing nearly identical functionality — allowing attackers to execute commands and additional payloads on the infected system remotely.
The difference comes from a more streamlined development process where QuiteRAT only incorporates a handful of needed Qt libraries, while MagicRAT bundles the whole framework, making it much bulkier.
Once deployed on a system, QuiteRAT gathers basic information such as MAC addresses, IP addresses, and the current user name of the device. It then connects to a hard-coded command-and-control server and waits for commands to be issued.
One of the implemented commands is meant to put the malware program to sleep and stop communicating to the C2 server for a specified time, probably an attempt by attackers to remain undetected inside victim networks. While QuiteRAT doesn’t have a built-in persistence mechanism, a command to set up a registry entry to start the malware after reboot can be sent by the C2 server.
A second new remote access trojan: CollectionRAT
While investigating the QuiteRAT attacks, the Talos researchers analyzed Lazarus’ C2 infrastructure and found additional tools, including another RAT program they dubbed CollectionRAT. “We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT,” the Talos researchers said. “This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal.”
CollectionRAT seems to be connected to Jupiter/EarlyRAT, another malware program that was documented by CISA and Kaspersky Lab in the past in connection with North Korean cyberattacks. Like QuiteRAT, CollectionRAT was developed using unusual tools, in this case the Microsoft Foundation Class (MFC), a legitimate library that is traditionally used to create user interfaces for Windows applications. MFC is used to decrypt and execute the malware code on the fly, but also has the benefit of abstracting the inner implementations of the Windows OS and making development easier while allowing different components to easily work with each other.
Once deployed, the implant collects identifying information about the system and sends it to the C2 server. It also can spawn a reverse shell through which attackers can run arbitrary commands, can read and write files on disk and can execute additional payloads.
“Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup,” the Talos researchers said. “We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from ‘OSPREY VIDEO INC.’ with the same serial number and thumbprint.”
Lazarus’s use of third-party tools
Aside from the custom-made QuiteRAT and CollectionRAT malware programs, Lazarus has also relied on third-party tools in its operations. One example is DeimosC2, a command-and-control framework written in Golang with RAT capabilities that is similar to post-exploitation frameworks like Cobalt Strike and Sliver.
“We discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework,” the Talos researchers said. “Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.”
Another tool that Lazarus was hosting on its C2 infrastructure and can be used for remote tunneling between infected systems and the C2 server was PuTTY Link (Plink).