Lazarus Exploits a Zoho ManageEngine Vulnerability to Distribute QuiteRAT and CollectionRAT
A recently fixed vulnerability (CVE-2022-47966) affecting Zoho ManageEngine ServiceDesk Plus has been used by Lazarus, a North Korean state-sponsored APT group, to spread the remote access trojan QuiteRAT.
Background
According to a report recently published by Cisco Talos, the attack began earlier this year. In the United States and the United Kingdom, it was intended to compromise suppliers of internet backbone infrastructure and healthcare organizations. Further investigation revealed that the attack was designed to distribute the QuiteRAT malware and a recently found remote access trojan (RAT), which the team named CollectionRAT. Early in 2023, when the North Korean organization utilized an exploit for CVE-2022-47966, a pre-authentication remote code execution vulnerability impacting a number of Zoho ManageEngine products, Cisco Talos researchers learned about the attack against UK internet service providers.Technical Analysis
CVE-2022-47966:
Unauthenticated RCE vulnerability CVE-2022-47966 affects Zoho ManageEngine products including ServiceDesk Plus, Password Manager Pro, and ADSelfService Plus. These products have been the target of public attacks during the previous 12 months. Depending on the specific ManageEngine product and whether or not its SAML single-sign-on is active, or has ever been enabled, the vulnerability—a pre-authentication remote code execution—can be exploited. The usage of Apache xmlsec 1.4.1, often known as XML Security for Java, is responsible for this.QuiteRAT:
The researchers classified QuiteRAT, which was discovered in February 2023, as a successor of MagicRAT, a remote access trojan that the North Korean group also used in the second half of 2022 to target energy suppliers in Japan, Canada, and the United States. Averaging about 4 to 5 MB in size, QuiteRAT is a lot smaller implementation than MagicRAT, which is a larger, bulkier malware family. This substantial difference in size is caused by the fact that Lazarus Group only incorporated a small subset of the necessary Qt libraries into QuiteRAT as compared to the whole Qt framework in MagicRAT. Furthermore, QuiteRAT lacks a persistence capability and requires one to be provided by the C2 server in order to continue operating on the infected endpoint, in contrast to MagicRAT, which has persistence mechanisms built into it via the ability to set up scheduled activities. This is another element that contributes to QuiteRAT’s lower size. The inclusion of Qt increases the complexity of the code, which makes human analysis more difficult, as shown with the MagicRAT malware from Lazarus Group. Since Qt is rarely utilized in malware development, using it significantly reduces the accuracy of machine learning and heuristic analysis detection. Capabilities of QuiteRAT include Self-deletion, Launching and fetching new payloads, New process spawning, Reverse shell creation, System information gathering, File management, and Arbitrary command execution. The group’s penchant for reusing infrastructure not only allowed researchers to link these most recent attacks to Lazarus but also allowed them to identify additional malware they utilize (notably, CollectionRAT).CollectionRAT:
According to a different report from Cisco Talos, the North Korean hacking group is using a new malware dubbed CollectionRAT, which the research team found after looking at the infrastructure, the attackers had previously used in past attacks. CollectionRAT is a Windows binary that is bundled with the Microsoft Foundation Class (MFC) library and instantly decrypts and runs the malicious code. The researchers said that MFC, which is typically used to design the user interfaces, controls, and events for Windows applications, “allows many components of malware to smoothly operate with one other while abstracting the core implementations of the Windows OS from the authors.
Operational links between the various malware implants. (Source: Talos)
The extensive use of open-source tools and frameworks, such as DeimosC2 for control and command communication, PuTTY Link (Plink) for remote tunneling, and Mimikatz for credential theft, are among the additional indications of evolution in the North Korean group’s procedures, techniques, and tactics that Cisco has listed.Infection Chain:
QuiteRAT:
To get started, the actors used a ManageEngine ServiceDesk instance that was vulnerable. The successful attack caused the Java runtime process to immediately download and launch a malicious payload. If the malware is downloaded successfully, the Java process will then execute the QuiteRAT binary, activating the implant on the compromised server. As soon as the implant begins to operate, it sends out basic system data to its command and control (C2) servers and then waits for a response from the C2 with either a command code to execute or an actual Windows command to execute on the endpoint through a child cmd.exe process. There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT: C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe
Infection chain (Source: Talos)