The North Korean state-sponsored threat actor Lazarus Group was observed exploiting a ManageEngine ServiceDesk vulnerability to launch attacks on a midsized internet backbone provider in the United Kingdom, and multiple healthcare entities in Europe and the United States.
In a blog post Aug. 24, Cisco Talos researchers said this was the third documented campaign attributed to Lazurus in less than a year, with the threat actor reusing the same infrastructure throughout these operations.
“Lazarus is a highly motivated threat actor that conducts operations for espionage, data theft and monetary gains for North Korea,” said Asheer Malhotra, a threat researcher at Cisco Talos. “This new attack exploiting the ManageEngine ServiceDesk application is evidence that Lazarus has now increasingly been using known vulnerabilities to target enterprises that are slow to patch their internet- facing systems.
Malhotra said although Lazarus constantly generates new implants that help them circumvent traditional detection mechanisms, in this specific campaign they have reused previous infrastructure, which presents new opportunities for security teams to track Lazarus down.
In this campaign, Malhotra said the attackers leveraged a remote access trojan (RAT) to exploit a critical ManageEngine ServiceDesk vulnerability (9.8 CVSS) — CVE-2022-47966 — five days after proof-of-concepts (POCs) for the exploit were publicly disclosed to deliver a new malware threat the researchers track as QuiteRAT. Security researchers first discovered QuiteRAT in February, but little has been written on it since.
Malhotra explained that QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size runs significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
While conducing its research into the exploits on the ManageEngine ServiceDesk bug, Malhotra said the researchers also found a new, third strain of malware: CollectionRAT, which they also detailed in a second blog posted Aug. 24. Malhotra explained that CollectionRAT is completely different from QuiteRAT and MagicRAT and uses Microsoft’s MFC framework to implement its functionality.
“Both QuiteRAT and CollectionRAT have the ability to accept arbitrary commands from the command-and-control servers and execute them on the infected systems,” said Malhotra. “These implants can also be used to deploy additional malware and dual-use tools to further the infection and conduct malicious hands-on-keyboard activities. Due to similar functionalities, both these implants can be categorized under the RAT umbrella of malware types.”
Malhotra explained that one significant development with CollectionRAT was that they observed Lazarus using open-source frameworks early on in the process for access. Malhotra said Lazarus has been known to churn out malicious malware implants at the speed of light and this brings some challenges to the threat actor.
“Constantly generating new implants requires a substantial amount of development, testing and evasion efforts,” said Malhotra. “The use of open-source tools can remediate these problems since these are frameworks that are ready to use and have proven to be highly effective to other actors in both the APT and crimeware space. Another key advantage of using open-source tools during the initial access phase is that it makes it difficult for analysts to attribute these initial compromises to a specific threat actor such as Lazarus.”
Mayuresh Dani, manager, threat research at Qualys, added that using open-source tooling in any attack phase lets threat actors avoid being profiled and the usage being passed off as a rather unsophisticated one — making it easier to not raise red flags early on in their campaign.
“Normally, when fresh IOCs with specific tooling is shared by means of a feed or between groups, security teams tend to focus on these high priority IOCs first rather than look at known threats,” said Dani. “This gives them some time to gain a foothold and then deploy their custom undetected tooling. By the time responders get to these known IOCs and validate them, the undetected payload would have already been deployed and this gives threat actors more chances of a successful attack.”
On the issue as to whether CollectionRAT is really a new malware, Ken Westin, Field CISO at Panther Labs, said much like legitimate software developers, APT groups and sophisticated cybercriminal syndicates follow similar practices, borrowing from existing code, leveraging open sources tools, and replicating functionality they see in other tools.
“Although it’s new to the Lazarus Group, CollectionRAT is not a particularly novel piece of code, it replicates functionality we see in a lot of malware toolkits, so I see CollectionRAT as just another tool in a larger toolbox that the Lazarus Group uses in their activities,” said Westin.
