Lazarus Group Debuts Tiny Trojan for Espionage AttacksThe Malware Is Based on an Unusual Development Framework
Researchers spotted the North Korean state hackers deploying a more compact remote access Trojan through a flaw in IT service management software in a campaign affecting European and U.S. critical infrastructure.
Security firm Cisco Talos said Lazarus Group in May started to deploy a Trojan that researchers named QuiteRAT, since it's a smaller version of custom North Korean malware Cisco Talos christened MagicRat in fall 2022. The newer variant retains many of the same capabilities as its larger precursor.
Once inside a network, QuiteRAT performs initial system reconnaissance, relays the information to a command-and-control server, and waits for fresh commands to perform additional tasks such as establishing persistence, running arbitrary code or deploying additional malware.
Both Trojans are based on the QT open-source development framework, which makes machine learning and heuristic analysis detection tools less reliable since QT is "rarely used in malware development." It is widely used for developing graphical user interfaces in applications, although neither MagicRAT nor QuiteRAT have GUIs. The framework also makes human analysis more difficult due to the complexity of the code.
North Korean coders compressed the size of the Trojan to 5 megabytes - down from MagicRAT's 18MB - by incorporating only a handful of QT libraries rather than the entire framework. QuiteRAT also establishes persistence by downloading additional code from a command-and-control server, rather than having a backdoor embedded into it, the researchers said.
They said Pyongyang hackers used QuiteRAT to target internet backbone infrastructure and healthcare entities in Europe and the United States. Hackers exploited a vulnerability in Zoho's ManageEngine ServiceDesk application tracked as CVE-2022-47966.
The researchers said it can attribute the campaign to North Korea partially by tracing the internet protocol address the hackers used to deploy QuiteRAT. The address,
220.127.116.11, "has been used by Lazarus since at least May 2022," they said.
Cisco Talos first observed MagicRAT in 2022 when it tracked Lazarus exploiting vulnerabilities in publicly exposed VMWare Horizon platforms to target energy companies worldwide.