The North Korea-linked advanced persistent threat (APT) actor Lazarus Group has been observed exploiting a Zoho ManageEngine vulnerability to compromise an internet backbone infrastructure provider in Europe, Cisco’s Talos security researchers report.
The attack occurred in early 2023, roughly five days after proof-of-concept (PoC) exploit code targeting the ManageEngine flaw, which is tracked as CVE-2022-47966 (CVSS score of 9.8), was published.
Identified in the Apache xmlsec (XML Security for Java) third-party dependency, the issue can be exploited for unauthenticated, remote code execution. In November 2022, Zoho announced patches for over 20 impacted on-premises products.
Lazarus was seen exploiting CVE-2022-47966 to deploy a new remote access trojan (RAT) variant called QuiteRAT, which Cisco’s researchers believe is a derivative of the known Lazarus-linked MagicRAT.
Once executed on a compromised machine, QuiteRAT harvests system information and sends it to the attackers’ server, and then waits for commands to execute.
The malware allows the attackers to perform further system reconnaissance, as well as to achieve persistence by issuing a command to modify the Windows registry. QuiteRAT also allows the attackers to deploy additional malware.
Built using the Qt framework, QuiteRAT is much smaller in size compared to MagicRAT, mainly because it incorporates fewer Qt libraries and has no persistence mechanism implemented.
The researchers observed various other similarities between the two malware families, including the implementation of the same abilities, such as support for executing commands on the infected machine.
“Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server,” Cisco notes.
According to the researchers, Lazarus appears to have dropped MagicRAT (the latest known variant was compiled in April 2022) and replaced it with QuiteRAT in more recent attacks.
In addition to the internet backbone infrastructure company, Lazarus was also seen targeting healthcare entities in Europe and the US, Cisco notes.
Related: North Korea’s Lazarus Targets Energy Firms With Three RATs
Related: FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers
Related: North Korean Hackers Targeted Russian Missile Developer