QuiteRAT
An infamous hacking collective acting on behalf of North Korea has deployed a novel variant of malware to target healthcare organizations and critical internet infrastructure across Europe and the United States. This advanced strain of malware, identified by researchers as QuiteRAT, shares numerous characteristics with previously observed malware strains employed by the Lazarus APT group. However, it possesses an elevated level of complexity, making it considerably more challenging for defenders to analyze and counteract. Additionally, during the initial breach stage of their operations, the hackers also leveraged open-source tools and frameworks, as detailed by the research findings.
Table of Contents
Lazarus Remains an Extremely Active Actor in the Cybercriminal Landscape
Security analysts have brought to light a series of attack operations involving the well-established Lazarus hacking group, which gained notoriety for its alleged theft of cryptocurrency valued at $1.7 billion in 2022. Remarkably, within a span of less than a year, this group has been linked to three documented campaigns. The cybercriminal operations exhibit the reuse of identical infrastructure across these operations.
Lazarus' adoption of open-source tools has raised concerns due to its impact on the attribution process and the acceleration of the exploitation cycle. By employing open-source tools, the hackers manage to minimize suspicion and circumvent the need to construct capabilities from scratch. Notably, numerous open-source tools, originally intended for legitimate defensive and offensive tasks, have become part of the malicious arsenals of various cybercriminal groups.
Exploiting Vulnerabilities in Popular Business Software Suite
The reported incidents encompass the exploitation of a vulnerability that impacts ManageEngine ServiceDesk. The suite offered by ManageEngine finds utilization across numerous enterprises, including the majority of Fortune 100 organizations. The software is utilized in managing IT infrastructure, networks, servers, applications, endpoints and other functionalities. In January, the company responsible for the product officially acknowledged the existence of the vulnerability, designated as CVE-2022-47966. Various security firms have issued alerts regarding its active exploitation by malicious actors.
QuiteRAT Stays Hidden on Compromised Devices
QuiteRAT empowers the hackers to amass information from the compromised device. The threat also is equipped with a function that enables it to enter a 'sleep' mode for pre-defined durations, facilitating the concealment of its presence within a compromised network.
Compared to its forerunner, MagicRAT, unveiled by the Lazarus hackers in April 2022, QuiteRAT boasts a notably smaller size. It measures merely 4 to 5 MB, primarily due to the omission of inherent persistence capabilities within the breached network. As a result, the hackers need to introduce a separate persistence feature subsequently.
Resemblances between the implants suggest that QuiteRAT stems from the lineage of MagicRAT. Beyond their shared reliance on the Qt framework, both threats exhibit similar functionalities, including the execution of arbitrary commands on the infected system.
In conjunction with their QuiteRAT malware, researchers have observed the Lazarus Group employing another previously unknown threat dubbed 'CollectionRAT.' This malware exhibits standard Remote Access Trojan (RAT) capabilities, enabling it to execute arbitrary commands on the compromised systems.
