Lazarus Group Leverages ManageEngine RCE for Breaches to US & UK Orgs
Category: Threat Actor Activity | Industries: Healthcare, Telecommunications |
Source: Cisco Talos
Cisco Talos researchers have revealed that the North Korean state-sponsored actor Lazarus Group has been actively exploiting a pre-authentication remote code execution vulnerability (CVE-2022-47966) in ManageEngine ServiceDesk software since early 2023. This campaign targeted an internet backbone infrastructure service provider and healthcare entities in the United States and the United Kingdom. The group promptly capitalized on the vulnerability, launching exploitation attempts only "five days after PoCs" had been publicly disclosed. Notably, in their recent campaign, Lazarus Group also demonstrated a reutilization of existing infrastructure, employing a domain utilized since May 2022.
Upon infiltrating the network, the attackers deployed their malware, QuiteRAT. The attackers used the cURL command to deploy the QuiteRAT binary from a malicious URL. QuiteRAT exhibits reconnaissance capabilities, gathers system information, and communicates with command and control (C2) servers for further instructions. Distinguishing itself from Lazarus Group's prior MagicRAT, QuiteRAT exhibits improved capabilities and a lighter profile. However, one caveat is that QuiteRAT cannot establish persistence on its own and requires one to be issued from the attacker's command and control (C2) server.
Cisco Talos emphasizes the challenges posed by Lazarus Group's use of the Qt framework for cybersecurity defenders, as the increased "code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development." The malware's evolution showcases Lazarus Group's adaptability and ongoing efforts to exploit vulnerabilities for their cyber operations. This is further demonstrated in a separate report as Cisco Talos details another Lazarus malware tracked as CollectionRAT an improved variant of EarlyRAT.