Lazarus Group's infrastructure reuse leads to discovery of new malware
Contents
- In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
- CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
- Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
- One such example of this trend is Lazarus Group’s use of the open-source …
- CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
- Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
- One such example of this trend is Lazarus Group’s use of the open-source …
IoC
05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
108.61.186.55
109.248.150.13
146.4.21.94
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://108.61.186.55:443
http://109.248.150.13
http://146.4.21.94
http://109.248.150.13/EsaFin.exe
http://146.4.21.94/boards/boardindex.php
http://146.4.21.94/editor/common/cmod
http://146.4.21.94/tmp/tmp/comp.dat
http://146.4.21.94/tmp/tmp/log.php
http://146.4.21.94/tmp/tmp/logs.php
http://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php
108.61.186.55
109.248.150.13
146.4.21.94
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
http://108.61.186.55:443
http://109.248.150.13
http://146.4.21.94
http://109.248.150.13/EsaFin.exe
http://146.4.21.94/boards/boardindex.php
http://146.4.21.94/editor/common/cmod
http://146.4.21.94/tmp/tmp/comp.dat
http://146.4.21.94/tmp/tmp/log.php
http://146.4.21.94/tmp/tmp/logs.php
http://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php