Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Lazarus Group Debuts Tiny Trojan for Espionage Attacks

The Malware Is Based on an Unusual Development Framework
Lazarus Group Debuts Tiny Trojan for Espionage Attacks
There's nothing tiny about this North Korean monument to the founding of the Korean Workers' Party. (Image: Shutterstock)

Researchers spotted North Korean state hackers deploying a more compact remote access Trojan through a flaw in IT service management software in a campaign affecting European and U.S. critical infrastructure.

Security firm Cisco Talos said Lazarus Group in May started to deploy a Trojan that researchers named QuiteRAT, since it's a smaller version of custom North Korean malware Cisco Talos christened MagicRat in fall 2022. The newer variant retains many of the same capabilities as its larger precursor.

Once inside a network, QuiteRAT performs initial system reconnaissance, relays the information to a command-and-control server, and waits for fresh commands to perform additional tasks such as establishing persistence, running arbitrary code or deploying additional malware.

Both Trojans are based on the QT open-source development framework, which makes machine learning and heuristic analysis detection tools less reliable since QT is "rarely used in malware development." It is widely used for developing graphical user interfaces in applications, although neither MagicRAT nor QuiteRAT have GUIs. The framework also makes human analysis more difficult due to the complexity of the code.

North Korean coders compressed the size of the Trojan to 5 megabytes - down from MagicRAT's 18MB - by incorporating only a handful of QT libraries rather than the entire framework. QuiteRAT also establishes persistence by downloading additional code from a command-and-control server, rather than having a backdoor embedded into it, the researchers said.

They said Pyongyang hackers used QuiteRAT to target internet backbone infrastructure and healthcare entities in Europe and the United States. Hackers exploited a vulnerability in Zoho's ManageEngine ServiceDesk application tracked as CVE-2022-47966.

The researchers said it can attribute the campaign to North Korea partially by tracing the internet protocol address the hackers used to deploy QuiteRAT. The address, 146.4.21.94, "has been used by Lazarus since at least May 2022," they said.

Cisco Talos first observed MagicRAT in 2022 when it tracked Lazarus exploiting vulnerabilities in publicly exposed VMWare Horizon platforms to target energy companies worldwide.


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.