Security News > 2022 > September > North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns

The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT. The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News.

Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives.

"In particular, the North Korean methods aim to avoid detection by security products and to remain undetected within the hacked systems for as long as possible."

The latest addition to its wide-ranging malware toolset shows the group's ability to employ a multitude of tactics and techniques depending on their targets and their operational goals.

The C2 infrastructure associated with MagicRAT has been found harboring and serving newer versions of TigerRAT, a backdoor formerly attributed to Andariel and is engineered to execute commands, take screenshots, log keystrokes, and harvest system information.

"The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide," the researchers said.

News URL

https://thehackernews.com/2022/09/north-korean-hackers-spotted-using-new.html