Threat Research

Lazarus Group’s infrastructure reuse leads to discovery of new malware

Securonix

Lazarus Group’s latest campaign leverages CVE-2022-47966 in ManageEngine ServiceDesk to deploy multiple threats, introducing CollectionRAT alongside QuiteRAT and tying new activity to known Lazarus families. The operation shows continued infrastructure reuse, adoption of open-source tools for initial access (DeimosC2 on Linux) and links between CollectionRAT, Jupiter/EarlyRAT, and Andariel. #LazarusGroup #CollectionRAT #DeimosC2 #QuiteRAT #EarlyRAT #Jupiter #Andariel

Keypoints

  • The Lazarus Group exploits CVE-2022-47966 in ManageEngine ServiceDesk to deploy multiple threats, including QuiteRAT and a new malware family CollectionRAT.
  • CollectionRAT provides standard RAT capabilities (arbitrary commands, file management, reverse shell) and is connected to Jupiter/EarlyRAT, attributed to Andariel by researchers.
  • Lazarus is shifting toward open-source tooling in initial access, using DeimosC2 to deploy a Linux-based implant for early access against Linux endpoints.
  • The campaign infrastructure is reused across campaigns, with QuiteRAT, DeimosC2 beacons, and CollectionRAT hosted on the same locations used previously (MagicRAT campaign).
  • CollectionRAT can fingerprint hosts, receive commands, perform file operations, spawn processes, download payloads, and uninstall itself on command.
  • The group employs malicious Plink (PuTTY) for reverse tunneling, including mutex-based single-connection enforcement to C2.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploits a public-facing vulnerability (ManageEngine ServiceDesk CVE-2022-47966) to deploy threats. ‘the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats.’
  • [T1071.001] Web Protocols – Uses HTTP to communicate with C2 during initial access and operation. ‘Initial check-in over HTTP to C2 server.’
  • [T1140] Deobfuscate/Decode Files or Information – Decrypts/decodes payloads using wrappers; ‘MFC framework has just been used as a wrapper/decrypter for the actual malicious code.’
  • [T1082] System Information Discovery – Collects system information to fingerprint infection. ‘initially gathers system information to fingerprint the infection and relay it to the C2 server.’
  • [T1059] Command and Scripting Interpreter – Runs commands via reverse shell to execute arbitrary instructions. ‘The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system.’
  • [T1105] Ingress Tool Transfer – Downloads and deploys additional payloads after compromise. ‘spawn new processes, allowing it to download and deploy additional payloads.’
  • [T1070] Indicator Removal on Host – Removes itself from the endpoint when commanded. ‘The implant can also remove itself from the endpoint when directed by the C2.’
  • [T1090] Proxy – Uses Plink for reverse tunneling to C2 with mutex-based single connection enforcement. ‘The malicious Plink will also create a mutex named “GlobalWindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.’

Indicators of Compromise

  • [IP] 146.4.21.94, 109.248.150.13, and 108.61.186.55:443 – network infrastructure used by the campaigns
  • [URL/Domain] ec2-15-207-207-64.ap-south-1.compute.amazonaws.com/resource/main/rawmail.php, 109.248.150.13/EsaFin.exe, 146.4.21.94/boards/boardindex.php, 146.4.21.94/editor/common/cmod – malicious endpoints and resources
  • [Hash] QuiteRAT – ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
  • [Hash] CollectionRAT – db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
  • [Hash] DeimosC2 – 05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
  • [Hash] Trojanized Plink – e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe

Read more: https://blog.talosintelligence.com/lazarus-collectionrat/