MagicRAT: Lazarus’ latest gateway into victim networks
Contents
- Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.
- Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
- We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.
- TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.
Executive Summary
Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of …
- Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
- We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.
- TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.
Executive Summary
Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of …
IoC
151.106.2.139
193.56.28.251
196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba
1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
52.202.193.124
64.188.27.73
66.154.102.91
bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1
ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5
d20959b615af699d8fff3f0087faade16ed4919355a458a32f5ae61badb5b0ca
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4
http://151.106.2.139
http://193.56.28.251
http://52.202.193.124
http://64.188.27.73
http://66.154.102.91
http://hxxp://64.188.27.73/adm_bord/login_new_check.php
http://hxxp://64.188.27.73/board/logo_adm_org.gif
http://hxxp://64.188.27.73/board/mfcom1.gif
http://hxxp://64.188.27.73/board/pct.gif
http://hxxp://64.188.27.73/board/tour_upt.html
http://hxxp://gendoraduragonkgp126.com/board/index.php
193.56.28.251
196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba
1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76
52.202.193.124
64.188.27.73
66.154.102.91
bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1
ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5
d20959b615af699d8fff3f0087faade16ed4919355a458a32f5ae61badb5b0ca
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4
http://151.106.2.139
http://193.56.28.251
http://52.202.193.124
http://64.188.27.73
http://66.154.102.91
http://hxxp://64.188.27.73/adm_bord/login_new_check.php
http://hxxp://64.188.27.73/board/logo_adm_org.gif
http://hxxp://64.188.27.73/board/mfcom1.gif
http://hxxp://64.188.27.73/board/pct.gif
http://hxxp://64.188.27.73/board/tour_upt.html
http://hxxp://gendoraduragonkgp126.com/board/index.php