Lazarus Exploits a Zoho ManageEngine Vulnerability to Distribute QuiteRAT and CollectionRAT
Contents
A recently fixed vulnerability (CVE-2022-47966) affecting Zoho ManageEngine ServiceDesk Plus has been used by Lazarus, a North Korean state-sponsored APT group, to spread the remote access trojan QuiteRAT.
Background
According to a report recently published by Cisco Talos, the attack began earlier this year. In the United States and the United Kingdom, it was intended to compromise suppliers of internet backbone infrastructure and healthcare organizations. Further investigation revealed that the attack was designed to distribute the QuiteRAT malware and a recently found remote access trojan (RAT), which the team named CollectionRAT.
Early in 2023, when the North Korean organization utilized an exploit for CVE-2022-47966, a pre-authentication remote code execution vulnerability impacting a number of Zoho ManageEngine products, Cisco Talos researchers learned about the attack against UK internet service providers.
Technical Analysis
CVE-2022-47966:
Unauthenticated RCE vulnerability CVE-2022-47966 affects Zoho ManageEngine products including ServiceDesk Plus, Password Manager Pro, and ADSelfService Plus. These products have been the target of …
Background
According to a report recently published by Cisco Talos, the attack began earlier this year. In the United States and the United Kingdom, it was intended to compromise suppliers of internet backbone infrastructure and healthcare organizations. Further investigation revealed that the attack was designed to distribute the QuiteRAT malware and a recently found remote access trojan (RAT), which the team named CollectionRAT.
Early in 2023, when the North Korean organization utilized an exploit for CVE-2022-47966, a pre-authentication remote code execution vulnerability impacting a number of Zoho ManageEngine products, Cisco Talos researchers learned about the attack against UK internet service providers.
Technical Analysis
CVE-2022-47966:
Unauthenticated RCE vulnerability CVE-2022-47966 affects Zoho ManageEngine products including ServiceDesk Plus, Password Manager Pro, and ADSelfService Plus. These products have been the target of …
IoC
05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
108.61.186.55
109.248.150.13
146.4.21.94
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://108.61.186.55:443
http://109.248.150.13
http://146.4.21.94
http://\Windows\system32\cmd.exe
http://\users\public\notify.exe
http://hxxp://109.248.150.13/EsaFin.exe
http://hxxp://146.4.21.94/boards/boardindex.php
http://hxxp://146.4.21.94/editor/common/cmod
http://hxxp://146.4.21.94/tmp/tmp/comp.dat
http://hxxp://146.4.21.94/tmp/tmp/log.php
http://hxxp://146.4.21.94/tmp/tmp/logs.php
http://hxxp://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php
108.61.186.55
109.248.150.13
146.4.21.94
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://108.61.186.55:443
http://109.248.150.13
http://146.4.21.94
http://\Windows\system32\cmd.exe
http://\users\public\notify.exe
http://hxxp://109.248.150.13/EsaFin.exe
http://hxxp://146.4.21.94/boards/boardindex.php
http://hxxp://146.4.21.94/editor/common/cmod
http://hxxp://146.4.21.94/tmp/tmp/comp.dat
http://hxxp://146.4.21.94/tmp/tmp/log.php
http://hxxp://146.4.21.94/tmp/tmp/logs.php
http://hxxp://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php