The Lazarus Group [1] [2] [3] [4], a North Korea-linked threat actor [1] [2] [4], has been observed exploiting a critical security flaw in Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called QuiteRAT [2] [4]. This group has been increasingly relying on open-source tools and frameworks in their attacks [2], such as the DeimosC2 framework [3]. Additionally, a new threat called CollectionRAT has been discovered in their attack infrastructure [2] [4].
Description
The Lazarus Group [1] [2] [3] [4], a North Korean state-sponsored threat actor [1] [3], has been observed exploiting a vulnerability in the ManageEngine ServiceDesk application to launch attacks on various targets [1], including a UK internet backbone provider and healthcare entities in Europe and the US [1]. This is the third documented campaign attributed to Lazarus in less than a year [1], with the group reusing the same infrastructure [1]. The attackers leveraged a remote access trojan (RAT) called QuiteRAT [1], which exploits a critical vulnerability in ManageEngine ServiceDesk [1] [2] [3] [4]. QuiteRAT is a successor to MagicRAT and has similar capabilities but a smaller file size [2] [4]. The use of the Qt framework in the malware makes analysis more challenging [2]. The activity involving QuiteRAT was detected in early 2023 and exploited CVE-2022-47966 [4], deploying the malware from a malicious URL [4].
The Lazarus Group is increasingly relying on open-source tools and frameworks in their attacks [2], such as the DeimosC2 framework [3]. They are deploying the DeimosC2 agent as an ELF binary to compromise Linux endpoints [3]. The group has targeted internet backbone infrastructure and healthcare entities in Europe and the U.S. [2] [4] Additionally, a new threat called CollectionRAT has been discovered in the Lazarus Group’s attack infrastructure [2] [4]. CollectionRAT is primarily used for gathering metadata [2], running commands [2], managing files [2], and delivering additional payloads [2]. It is believed to be connected to the Jupiter/EarlyRAT malware family [3], attributed to the Lazarus Group subgroup Andariel [3].
Despite the well-documented nature of their tactics [4], the Lazarus Group continues to rely on the same tradecraft [4], indicating their confidence in their operations [4]. They are continually shifting tactics and weaponizing newly disclosed vulnerabilities in software [2]. The use of open-source frameworks allows threat actors to avoid being profiled and raises fewer red flags [1]. CollectionRAT is not a particularly novel piece of code [1], but rather another tool in Lazarus Group’s toolbox [1].
Conclusion
The Lazarus Group’s exploitation of the ManageEngine ServiceDesk vulnerability highlights the ongoing threat posed by state-sponsored threat actors. The use of open-source tools and frameworks makes attribution more difficult and increases the group’s ability to evade detection. Organizations should prioritize patching vulnerabilities promptly and implementing robust security measures to mitigate the risk of such attacks. The discovery of CollectionRAT underscores the need for ongoing monitoring and analysis of emerging threats, as threat actors continue to evolve their tactics and develop new malware strains.
References
[1] https://www.scmagazine.com/news/north-korea-threat-group-exploiting-manageengine-servicedesk-bug
[2] https://thehackernews.com/2023/08/lazarus-group-exploits-critical-zoho.html
[3] https://blog.talosintelligence.com/lazarus-collectionrat/
[4] https://cyber.vumetric.com/security-news/2023/08/24/lazarus-group-exploits-critical-zoho-manageengine-flaw-to-deploy-stealthy-quiterat-malware/
