North Korea’s Lazarus Group hits organizations with two new RATs

Neither of the two trojans have graphical user interfaces so the choice of using Qt for development might seem strange. However, because there are very few malicious programs developed with this platform, it makes detection and analysis harder. However, QuiteRAT has a much smaller size compared to MagicRAT (4MB to 5MB vs. 18MB) despite implementing nearly identical functionality — allowing attackers to execute commands and additional payloads on the infected system remotely.

The difference comes from a more streamlined development process where QuiteRAT only incorporates a handful of needed Qt libraries, while MagicRAT bundles the whole framework, making it much bulkier.

Once deployed on a system, QuiteRAT gathers basic information such as MAC addresses, IP addresses, and the current user name of the device. It then connects to a hard-coded command-and-control server and waits for commands to be issued.

One of the implemented commands is meant to put the malware program to sleep and stop communicating to the C2 server for a specified time, probably an attempt by attackers to remain undetected inside victim networks. While QuiteRAT doesn’t have a built-in persistence mechanism, a command to set up a registry entry to start the malware after reboot can be sent by the C2 server.

A second new remote access trojan: CollectionRAT

While investigating the QuiteRAT attacks, the Talos researchers analyzed Lazarus’ C2 infrastructure and found additional tools, including another RAT program they dubbed CollectionRAT. “We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT,” the Talos researchers said. “This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal.”

CollectionRAT seems to be connected to Jupiter/EarlyRAT, another malware program that was documented by CISA and Kaspersky Lab in the past in connection with North Korean cyberattacks. Like QuiteRAT, CollectionRAT was developed using unusual tools, in this case the Microsoft Foundation Class (MFC), a legitimate library that is traditionally used to create user interfaces for Windows applications. MFC is used to decrypt and execute the malware code on the fly, but also has the benefit of abstracting the inner implementations of the Windows OS and making development easier while allowing different components to easily work with each other.

Leave a Reply

Your email address will not be published. Required fields are marked *