New malware from North Korea’s Lazarus used against healthcare industry

A notorious hacking group working on behalf of the North Korean government is using a new strain of malware to attack healthcare entities and internet backbone infrastructure in Europe and the United States.

Security researchers from Cisco Talos published two reports outlining a string of incidents involving the long-running Lazarus hacking group, which garnered headlines for its role in allegedly stealing $1.7 billion worth of cryptocurrency in 2022.

“This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations,” the researchers explained, adding that these incidents involved the exploitation of a vulnerability affecting ManageEngine ServiceDesk. The reports do not identity specific targets of the hacking campaign.

The ManageEngine suite is used by hundreds of organizations — including 9 in 10 Fortune 100 organizations — for IT infrastructure, networks, servers, applications, endpoints and more, according to the company. In January, the company behind the product announced the vulnerability — cataloged as CVE-2022-47966 — and security firms warned that it was being exploited by hackers.

Cisco Talos said the attackers began to exploit the bug in February to deploy a newer, more complex brand of malware that the researchers track as QuiteRAT, which has many of the same features as other strains of malware used by Lazarus but is more difficult for defenders to examine and catch. The hackers also used open-source tools and frameworks in the initial access phase of their attacks, according to the researchers.

The malware allows the hackers to gather data about the infected device, and it has a feature that allows it to “sleep” for predetermined amounts of time, allowing the operation to stay dormant on a compromised network.

QuiteRAT is much smaller than its predecessor, MagicRAT, which Lazarus hackers first unveiled in April 2022. QuiteRAT is only 4 to 5 MB in size, partially because it does not have the ability to perform persistence capabilities on a victim network. The hackers have to push out a separate persistence capability after the fact, Cisco Talos said.

“There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system,” the researchers said.

“In addition to their ‘QuiteRAT’ malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called ‘CollectionRAT.’ CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system.”

Cisco Talos tied CollectionRAT to a unit within Lazarus Group known as Andariel. The researchers found multiple indications that the hackers are “changing its tactics” and increasingly relying on open-source tools as they evolve their bag of tricks.

Familiar tools

The group is increasingly brazen, the researchers said, and it appears unconcerned with reusing much of the same infrastructure, tactics, techniques and procedures identified by many security companies and governments around the world.

Cisco Talos noted that this is the third Lazarus campaign it has tracked over the last year including incidents involving energy providers in the United States, Canada and Japan last September.

Several cybersecurity experts said the use of open-source tools was concerning because it muddied the waters for attribution and made the exploitation process quicker.

Using open-source tools allows the hackers to raise fewer red flags and skip the process of developing capabilities from scratch, said Callie Guenther, a cyberthreat research senior manager at Critical Start.

Many open-source tools used for legitimate defensive and offensive tasks also have a known success rate and are constantly improved by members of the security community, making them more adaptable, Guenther explained.

Intruding into system management software and using malware built on open source tools is a “one-two punch,” said Vulcan Cyber co-founder Yaniv Bar-Dayan.

“A systems management tool like ManageEngine will have unprecedented access to an organization’s infrastructure, and open source software is pervasive in the software supply chain,” he said.