The North Korean state-backed hacking group Lazarus has been compromising an internet backbone infrastructure provider and healthcare organisations by exploiting a major flaw (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk.
The attacks kicked off earlier this year with the goal of infiltrating companies in the United States and the UK in order to disseminate the QuiteRAT malware and a newly found remote access trojan (RAT) known as CollectionRAT.
CollectionRAT was discovered after researchers analysed the infrastructure employed by the campaigns, which the threat actor had previously used for past assaults.
Targeting internet firms
Researchers at Cisco Talos observed attacks against UK internet enterprises in early 2023 when Lazarus exploited CVE-2022-47966, a pre-authentication remote code execution bug impacting numerous Zoho ManageEngine products.
"In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access," researchers at Cisco Talos stated.
According to the analysts, Lazarus began employing the attack just five days after it became public. Multiple hackers used the exploit in attacks, as discovered by Rapid7, Shadowserver, and GreyNoise, forcing CISA to issue a warning to organisations.
Lazarus hackers dropped the QuiteRAT malware from an external URL after exploiting the vulnerability to infiltrate a target.
QuiteRAT, found in February 2023, is described as a basic yet powerful remote access trojan that appears to be a step up from the more well-known MagicRAT, which Lazarus deployed in the second part of 2022 to target energy suppliers.
The nalware's code is leaner than MagicRAT's, and careful library selection has decreased its size from 18MB to 4MB while preserving the same set of functions, researchers added.
New Lazarus malware
In a separate report published earlier this week, Cisco Talos stated that Lazarus hackers had developed a new malware known as CollectionRAT, which is related to the "EarlyRAT" family. The new threat was discovered when experts examined the infrastructure employed by the actor in earlier operations.
CollectionRAT's features include arbitrary command execution, file management, gathering system information, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion.
Another intriguing feature of CollectionRAT is its use of the Microsoft Foundation Class (MFC) framework, which allows it to decrypt and execute code on the fly, elude detection, and frustrate analysis.
Cisco Talos learned further indications of evolution in Lazarus' tactics, techniques, and procedures, such as the extensive use of open-source tools and frameworks, such as Mimikatz for credential stealing, PuTTY Link (Plink) for remote tunnelling, and DeimosC2 for command and control communication.
This strategy makes it difficult to attribute, monitor, and create efficient defences because Lazarus leaves behind fewer identifiable traces.