In early 2023, an attack took place approximately five days after the publication of proof-of-concept (PoC) exploit code for the ManageEngine vulnerability, known as CVE-2022-47966, with a CVSS score of 9.8.
The vulnerability, found in the third-party dependency Apache xmlsec (XML Security for Java), allows for unauthenticated remote code execution. Zoho had already issued patches for over 20 affected on-premises products in November 2022.
Lazarus, a well-known threat actor, utilized CVE-2022-47966 to launch a new variant of a remote access trojan (RAT) called QuiteRAT. This RAT is believed to be a derivative of the previously identified Lazarus-associated MagicRAT.
Once activated on a compromised system, QuiteRAT collects system data and transmits it to the attackers’ server. It remains dormant until receiving commands for execution. The trojan grants the attackers additional capabilities, including system reconnaissance and the ability to modify the Windows registry for persistence. It also facilitates the deployment of further malware.
QuiteRAT, built on the Qt framework, is notably smaller in size compared to MagicRAT due to fewer incorporated Qt libraries and the absence of a built-in persistence mechanism.
Researchers have noted various parallels between the two malware families, such as the use of base64 encoding to obfuscate strings and the incorporation of similar functionalities, including the execution of commands on the infected system.
Lazarus seems to have replaced MagicRAT with QuiteRAT in recent attacks, indicating a shift in its tactics. In addition to targeting an internet backbone infrastructure firm, Lazarus has also been observed targeting healthcare organizations in both Europe and the United States, as highlighted by Cisco researchers.
Disclaimer: The views, suggestions, and opinions expressed here are the sole responsibility of the experts. No Chronicle Hub journalist was involved in the writing and production of this article.