Cisco Talos identifies a new Lazarus Group remote access trojan named MagicRAT, deployed after exploiting publicly exposed VMware Horizon platforms. The malware, linked to TigerRAT and Lazarus infrastructure, includes persistence, reconnaissance, and the hosting of additional Lazarus implants via its C2. #MagicRAT #Lazarus
Keypoints
- Cisco Talos attributes MagicRAT to the Lazarus threat actor with moderate to high confidence, per CISA attribution.
- The initial access vector involved exploitation of publicly exposed VMware Horizon platforms.
- MagicRAT is built with the Qt Framework to increase code complexity and hinder human and ML-based analysis.
- Once deployed, MagicRAT can drop and run additional payloads (e.g., port scanners) and uses its C2 to host newer Lazarus implants like TigerRAT.
- Persistence is achieved through Windows Scheduled Tasks and startup folder mechanisms; a remote shell enables arbitrary command execution.
- Reconnaissance is limited at first (whoami, systeminfo, ipconfig /all) with exfiltration of results (e.g., zero_dump.mix).
- TigerRAT brings capabilities such as screen capture, keylogging, SOCKS tunneling, extensive file management, USB dump, and self-deletion, with evolving feature sets over time.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Lazarus exploited VMware Horizon vulnerabilities to gain initial access. “[Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.]”
- [T1053.005] Scheduled Task – MagicRAT achieves persistence by creating scheduled tasks. “schtasks /create /tn “OneDrive AutoRemove” … /sc daily”
- [T1547.001] Startup Items – Startup folder persistence. “Link created on startup folder [T1547/001]”
- [T1082] System Information Discovery – Initial recon using system queries. “During the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the system and environment … by executing the commands whoami, systeminfo and ipconfig /all.”
- [T1059.003] Windows Command Shell – Remote shell for arbitrary command execution. “the operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.”
- [T1105] Ingress Tool Transfer – Deployment of additional payloads (e.g., VSingle) after MagicRAT; download and execution of another implant. “the subsequent download and execution of another custom-developed malware called ‘VSingle’”
- [T1560] Archive Collected Data – Data collection and preparation for exfiltration. “Add these files to an existing archive – in preparation for exfiltration.”
- [T1113] Screen Capture – TigerRAT capabilities include screen capture.
- [T1056.001] Keylogging – TigerRAT capabilities include keylogging.
- [T1090] Proxy – SOCKS tunneling capability. “Socks tunneling.”
- [T1070.004] Indicator Removal on Host – Self-delete/uninstall from the system. “Self delete/uninstall from system.”
Indicators of Compromise
- [Hash] MagicRAT – f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
- [Hash] TigerRAT – f78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4, 1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
- [URL] C2 and payload delivery – hxxp[://]64[.]188[.]27[.]73/adm_bord/login_new_check[.]php, hxxp[://]gendoraduragonkgp126[.]com/board/index[.]php
- [Domain] Domains – gendoraduragonkgp126[.]com
- [IP] 193[.]56[.]28[.]251, 52[.]202[.]193[.]124, 64[.]188[.]27[.]73, 151[.]106[.]2[.]139, 66[.]154[.]102[.]91
- [File] Visual configuration file – visual.1991-06.com.microsoft_sd.kit
- [File] Zero_dump – zero_dump.mix
- [File] Port scanner image – pct.gif
Read more: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html