Security News > 2023 > August > Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability to target internet backbone infrastructure and healthcare institutions in Europe and the US. The group leveraged the vulnerability to deploy QuiteRAT, downloaded from an IP address previously associated with the Lazarus hacking group.

The malware Cisco Talos researchers dubbed QuiteRAT is a simple remote access trojan that's similar to Lazarus Group's MagicRAT malware, only smaller in size.

"As seen with Lazarus Group's MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development."

According to Cisco Talos researchers, the Lazarus Group is slightly changing attack tactics.

"Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group's hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers," they added.

Lazarus Group is known for mounting financially motivated and cyberespionage cyberattacks aimed at furthering North Korea's political goals and at stealing cryptocurrency necessary to finance the nation's various efforts.

News URL

https://www.helpnetsecurity.com/2023/08/25/lazarus-group-manageengine/