• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

North Korean state-sponsored hacker group Lazarus adds new RAT to its malware toolset

flyytech by flyytech
September 11, 2022
Home Security
Share on FacebookShare on Twitter


Security researchers have discovered a new remote access Trojan (RAT) being used in attack campaigns this year by Lazarus, a threat actor tied to the North Korean government. The new RAT has been used alongside other malware implants attributed to Lazarus and it’s mainly used in the first stages of an attack.

Dubbed MagicRAT, the new Lazarus malware program was developed using Qt, a framework commonly used to develop graphical user interfaces for cross-platform applications. Since the Trojan doesn’t have a GUI, researchers from Cisco Talos believe the reason for using Qt was to make detection harder.

“Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder,” the Cisco researchers said in their report. “On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.”

How the MagicRAT malware works

In addition to using Qt classes throughout its entire codebase, MagicRAT also stores configuration data such as three encoded command-and-control URLs inside a QSettings class. Once deployed, it creates two scheduled tasks to achieve persistence at system reboot and copies a shortcut file with the name OneNote in the startup folder.

The Trojan then collects system information using command-line tools and uploads the resulting file to the C2 servers. Attackers can connect remotely to MagicRAT and obtain shell access on the system that allows them to perform additional hands-on hacking.

The researchers also found other malware payloads on the C2 servers that were hidden as GIF files. These included a lightweight port scanner and a more complex RAT called TigerRAT that has been attributed to the Lazarus group since 2021.

In addition to command execution, TigerRAT provides attackers with screen capture, SOCKS proxy tunneling, keylogging and file management capabilities. The latest variants also have a feature called USB Dump that allows attackers to search for files with certain extensions in a specified folder, archive the found files and upload the archive to the C2. This could be a data exfiltration feature targeting attached USB storage devices.

MagicRAT also gained the ability to delete itself from a system via an executable BAT file in the more recent versions. This is in line with the theory that the Trojan is only used in the first stages of attack for reconnaissance and the deployment of additional payloads on interesting victim machines. This could also explain why it hasn’t been identified before even though the attack campaign in which it has been used went on for months and has been documented by multiple security firms and CERTs this year.

Log4Shell exploits hitting VMware Horizon

According to Cisco Talos, MagicRAT has been used alongside other previously documented Lazarus malware implants such as VSingle in attacks that exploited the Log4Shell vulnerability on publicly facing VMware Horizon servers between February and July.

Log4Shell is a critical vulnerability found and patched in November 2021 in a popular Java library called log4j that’s used in millions of applications. CISA issued an alert in June warning organizations that multiple threat actors are targeting unpatched VMware Horizon servers via the Log4Shell flaw. In July, the agency released additional indicators of compromise from its incident response engagements.

The attacks seen by Cisco Talos have some overlap with the IOCs released by CISA and targeted energy companies from the U.S., Canada and Japan with the likely goal of establishing long-term access and conducting espionage.

Once the attackers exploited Log4Shell, they use the VMware node.exe file to execute their own command-line script to open an interactive reverse shell that would run with the privileges of VMware Horizon — typically administrator. In some cases, the attackers used PowerShell scripts. In all cases the attackers deployed VSingle, a backdoor-type malware program that has been associated with Lazarus attacks since 2021.

VSingle is used for reconnaissance, data exfiltration and manual backdooring of systems by adding additional local administrative accounts and accounts with remote desktop access. It is also used to deploy SSH tunneling and proxy tools. The Trojan can download and execute additional plug-ins from the C2 server that are also shellcode or script files in various formats.

In several cases, the attackers used VSingle to deploy Impacket, a collection of Python classes for working with network protocols. This is used to perform lateral movement inside Active Directory environments.

In one case, the researchers observed MagicRAT being deployed alongside VSingle while in another case VSingle was accompanied by YamaBot, a Trojan program written in Go that was recently attributed to Lazarus by Japan’s JPCERT.

In addition to reconnaissance, lateral movement and the deployment of custom implants, the Lazarus attacks also involved credential harvesting from local systems using various tools like Mimikatz and Procdump, exfiltration of Active Directory data, the disabling Windows Defender, setting up SOCKs proxies, and more. The Cisco Talos report contains a detailed list of observed tactics, techniques and procedures (TTPs) as well as IOCs associated with this attack campaign.

Copyright © 2022 IDG Communications, Inc.



Source_link

flyytech

flyytech

Next Post
‘Glass Onion: A Knives Out Mystery’ spoiler-free review: Rian Johnson delivers a superb whodunnit

'Glass Onion: A Knives Out Mystery' spoiler-free review: Rian Johnson delivers a superb whodunnit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

TouchArcade Game of the Week: ‘Wreckfest’ – TouchArcade

TouchArcade Game of the Week: ‘Wreckfest’ – TouchArcade

November 19, 2022
Digital Audio Basics #1: What You Need to Know

Digital Audio Basics #1: What You Need to Know

October 14, 2022

Trending.

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022
Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023
How to View Ring Doorbell on a Roku TV

How to View Ring Doorbell on a Roku TV

December 20, 2022

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

Security Researchers Spot $36m BEC Attack

Security Researchers Spot $36m BEC Attack

March 22, 2023
A touch of genius with a bright future

A touch of genius with a bright future

March 22, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT