Threat Research

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

Securonix

Lazarus Group, a North Korean state-sponsored actor, targeted internet backbone infrastructure and healthcare entities in Europe and the United States, repeatedly reusing the same infrastructure across campaigns. They exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to deploy QuiteRAT, a Qt-based remote access tool, marking a continued evolution in their toolkit. #LazarusGroup #QuiteRAT #MagicRAT #ManageEngine #CVE-2022-47966

Keypoints

  • Lazarus Group targeted internet backbone providers and healthcare entities in Europe and the US, reusing the same infrastructure across campaigns.
  • The attackers exploited the ManageEngine ServiceDesk vulnerability CVE-2022-47966 to gain initial access and deliver QuiteRAT.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs were publicized to gain initial access. “exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.””
  • [T1105] Ingress Tool Transfer – Downloading and executing the QuiteRAT binary via the Java runtime process after exploitation. “The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process.”
  • [T1027] Obfuscated/Compressed Data – Encoding and obfuscation of strings, including MD4-based identifiers and XOR/base64 encoding. “The strings are XOR’ed with 0x78 and then base64 encoded.” The MD4 hash is used as the infection identifier. “The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.”
  • [T1071.001] Web Protocols – Command and control communications over HTTP GET with specific parameters (mailid, action, body, param, session). “The URL for the HTTP GET to obtain inputs from the C2 looks like this: /mailid=&action=inbox…”
  • [T1082] System Information Discovery – Initial reconnaissance commands yield system information (e.g., systeminfo, logon server name). “C:windowssystem32cmd.exe /c systeminfo | findstr Logon” and “C:windowssystem32cmd.exe /c ipconfig | findstr Suffix”
  • [T1112] Modify Registry – Persistence via the registry mechanism (sc create WindowsNotification …). “Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT.”
  • [T1543.003] Create or Modify System Process: Windows Service – Creating a Windows service for persistence. “sc create WindowsNotification type= own type= interact start= auto…”
  • [T1016] Windows Command Shell / Command & Scripting Interpreter – Use of cmd.exe to run commands (e.g., systeminfo, ipconfig) in the context of intrusion. “C:windowssystem32cmd.exe /c …”

Indicators of Compromise

  • [IP] 146.4.21.94 – The IP address has been used by Lazarus since at least May 2022.
  • [URL] http://146.4.21.94/tmp/tmp/comp.dat, http://146.4.21.94/tmp/tmp/log.php, http://146.4.21.94/tmp/tmp/logs.php – Malicious payloads and logging endpoints used in C2 communications.
  • [URL] http://ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php – Additional C2/resource endpoint.
  • [File hash] ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6 – QuiteRAT binary hash observed in the wild.
  • [File name] notify.exe (32bit) – One QuiteRAT binary name and its compile date (May 30, 2022).
  • [File name] acres.exe – Another QuiteRAT binary name (July 22, 2022).
  • [File name] acres.exe (64bit) – 64-bit variant (July 25, 2022).

Read more: https://blog.talosintelligence.com/lazarus-quiterat/