The prolific North Korean nation-state actor often called the Lazarus Group has been linked to a brand new distant entry trojan known as MagicRAT.
The beforehand unknown piece of malware is claimed to have been deployed in sufferer networks that had been initially breached through profitable exploitation of internet-facing VMware Horizon servers, Cisco Talos mentioned in a report shared with The Hacker Information.
“Whereas being a comparatively easy RAT capability-wise, it was constructed with recourse to the Qt Framework, with the only real intent of constructing human evaluation more durable, and automatic detection by means of machine studying and heuristics much less doubtless,” Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura mentioned.
Lazarus Group, also called APT38, Darkish Seoul, Hidden Cobra, and Zinc, refers to a cluster of economic motivated and espionage-driven cyber actions undertaken by the North Korean authorities as a way to sidestep sanctions imposed on the nation and meet its strategic aims.
Like different umbrella collectives Winnti and MuddyWater, the state-sponsored hacking collective additionally has “spin-off” teams akin to Bluenoroff and Andariel, which deal with particular sorts of assaults and targets.
Whereas the Bluenoroff subgroup is concentrated on attacking overseas monetary establishments and perpetrating financial theft, Andariel is devoted in its pursuit of South Korean organizations and companies.
“Lazarus develops their very own assault instruments and malware, can use progressive assault methods, works very methodically, and takes their time,” cybersecurity agency NCC Group mentioned in a report detailing the menace actor.
“Specifically, the North Korean strategies goal to keep away from detection by safety merchandise and to stay undetected inside the hacked programs for so long as doable.”
The most recent addition to its wide-ranging malware toolset exhibits the group’s capacity to make use of a large number of techniques and methods relying on their targets and their operational objectives.
A C++-based implant, MagicRAT is designed to realize persistence by creating scheduled duties on the compromised system. It is also “somewhat easy” in that it gives the attacker with a distant shell to execute arbitrary instructions and perform file operations.
MagicRAT can also be able to launching extra payloads retrieved from a distant server on contaminated hosts. One of many executables retrieved from the command-and-control (C2) server takes the type of a GIF picture file, however in actuality is a light-weight port scanner.
Moreover, the C2 infrastructure related to MagicRAT has been discovered harboring and serving newer variations of TigerRAT, a backdoor previously attributed to Andariel and is engineered to execute instructions, take screenshots, log keystrokes, and harvest system info.
Additionally included within the newest variant is a USB Dump characteristic that enables the adversary to hunt for recordsdata with particular extensions, alongside laying the groundwork for implementing video seize from webcams.
“The invention of MagicRAT within the wild is a sign of Lazarus’ motivations to quickly construct new, bespoke malware to make use of together with their beforehand identified malware akin to TigerRAT to focus on organizations worldwide,” the researchers mentioned.
