Lazarus Group Exploits ManageEngine Vulnerability
Contents
HC3: Sector Alert
September 18, 2023
TLP:CLEAR
Report: 202309181700
Lazarus Group Exploits ManageEngine Vulnerability
Executive Summary
Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the
Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe
and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which
is tracked as CVE-2022-47966. This vulnerability was added to CISA’s Known Exploited Vulnerabilities
Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT)
known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is
reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the
same capabilities. Further analysis of this campaign has also shown that the group is using a new malware
tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run
arbitrary commands among other capabilities. Both CISA and the FBI have previously warned …
September 18, 2023
TLP:CLEAR
Report: 202309181700
Lazarus Group Exploits ManageEngine Vulnerability
Executive Summary
Cisco Talos has published an open-source report regarding the North Korean state-sponsored actor, the
Lazarus Group, reported to be targeting internet backbone infrastructure and healthcare entities in Europe
and the United States. The attackers have been exploiting a vulnerability in ManageEngine products, which
is tracked as CVE-2022-47966. This vulnerability was added to CISA’s Known Exploited Vulnerabilities
Catalog in January 2023. Through this exploit, the attackers are deploying the remote access trojan (RAT)
known as “QuiteRAT.” Security researchers previously identified this malware in February 2023, and it is
reportedly the successor to the group’s previously used malware “MagicRAT,” which contains many of the
same capabilities. Further analysis of this campaign has also shown that the group is using a new malware
tool called “CollectionRAT,” which appears to operate like most RATs by allowing the attacker to run
arbitrary commands among other capabilities. Both CISA and the FBI have previously warned …
IoC
146.4.21.94
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6