Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
Contents
- Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
- In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
- QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
- Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases …
- In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
- QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
- Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases …
IoC
146.4.21.94
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://146.4.21.94
http://146.4.21.94/tmp/tmp/comp.dat
http://146.4.21.94/tmp/tmp/log.php
http://146.4.21.94/tmp/tmp/logs.php
http://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://146.4.21.94
http://146.4.21.94/tmp/tmp/comp.dat
http://146.4.21.94/tmp/tmp/log.php
http://146.4.21.94/tmp/tmp/logs.php
http://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php