top of page

Lazarus Group Exploiting Patched Security Flaw to Distribute QuiteRAT and CollectionRAT

Cybersecurity analysts have recently reported a concerning increase in activities linked to the infamous Lazarus Group, a threat organization hailing from North Korea. The group has a notorious reputation for exploiting security vulnerabilities, such as those in the Zoho ManageEngine ServiceDesk Plus which were previously patched. The exploitation led to the embedding of a potent remote access trojan known colloquially as QuiteRAT. The Lazarus Group cast a rather wide yet strategic net, with the primary affected targets being the healthcare sectors and internet infrastructure entities specifically in the United States and Europe.

Detailed analyses and evaluation were published in a two-segment report by cybersecurity powerhouse, Cisco Talos. The researchers uncovered intriguing evidence pointing towards Lazarus Group’s rather nonchalant, or perhaps confident, reuse of their attack infrastructure that have been documented and well-known over the years. This discovery unraveled a newly minted threat called CollectionRAT.

After a direct comparison was made between the functionality capabilities of QuiteRAT and its precursor, MagicRAT, researchers from Cisco Talos observed numerous similarities. The two malwares were developed on the same Qt framework, therefore, they exhibit analogous functionalities such as the flexibility to execute arbitrary instructions.

Lazarus Group’s intentional utilization of the Qt framework presumably explains the complexity and sophistication of the malware’s coding. This was proven in 2023 when Lazarus orchestrated an exploitation merely five days post the online roll-out of a proof-of-concept for the flaw, validating the prowess of QuiteRAT.

However, it's worth noting QuiteRAT is a smaller but equally deadly version of MagicRAT, taking up less than a third of MagicRAT's size. QuiteRAT however lacks a built-in sustainment feature which implies a continued input from the server to maintain its malignant capabilities on the compromised host - a distinction from its predecessor.

Evidence of these findings can be seen in a recent campaign unveiled by WithSecure, which depicted the exploitation of unpatched potential loopholes in Zimbra devices to launch QuiteRAT. The informants from Cisco Talos stated that the adversary is shifting gears, now leveraging open-source tools and frameworks almost immediately after commencing an attack, contradicting their previous prevalent usage in the post-attack phase.

This lead to the further discovery of an open-source, GoLang-based DeimosC2 framework being adopted by the Lazarus Group, which is supplemented by CollectionRAT to gather metadata, execute arbitrary commands, manage infected files and systems and disseminate additional payloads. While it remains unclear how CollectionRAT infiltrates the system, there are indications revealing the use of a trojanized version of the PuTTY Link utility hosted on the same infrastructure to facilitate the malware’s distribution.

This shows the continuous evolution of the Lazarus Group, adding to their lethal arsenal and adapting new exploitations of software vulnerabilities to broaden their control. It's vital to be aware of such cyber threats and plan your defenses accordingly.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page