Security News > 2023 > August > Cisco Talos Research: New Lazarus Group Attack Malware Campaign Hits UK & US Businesses
The Cisco Talos report exposes new malware used by the group to target Internet backbone infrastructure and healthcare organizations in the U.K. and the U.S. Two reports from cybersecurity company Cisco Talos provide intelligence about a new attack campaign from the North Korean threat actor Lazarus.
The researchers observed the Lazarus group successfully compromise an internet backbone infrastructure provider in the U.K. in early 2023, deploying a new malware dubbed QuiteRAT. The initial compromise was done via exploitation of the CVE-2022-47966 vulnerability, which affects Zoho's ManageEngine ServiceDesk.
Once the malware has been executed, it starts sending initial information about the system to its command-and-control server and waits for an answer, which might be a direct command to the malware or a Microsoft Windows command line to be executed via the cmd.
Figure A. The Lazarus group's new arsenal of malware.
Lazarus has used various malware in this attack campaign: QuiteRAT, CollectionRAT, DeimosC2 and malicious Plink.
Although the group makes a lot of changes to its arsenal, the North Korean state-sponsored Lazarus threat actor "Continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years," according to Cisco Talos.
News URL
https://www.techrepublic.com/article/cisco-talos-lazarus-group-new-malware/
Related news
- Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks (source)
- Critical Cisco Smart Licensing Utility flaws now exploited in attacks (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Cisco warns of CSLU backdoor admin account used in attacks (source)
- Open-source malware doubles, data exfiltration attacks dominate (source)
- Lazarus Group Targets Job Seekers With ClickFix Tactic to Deploy GolangGhost Malware (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- New TCESB Malware Found in Active Attacks Exploiting ESET Security Scanner (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |