The prolific North Korean nation-state actor known as the Lazarus Group has been linked to a new remote access trojan called MagicRAT.
The previously unknown piece of malware is said to have been deployed in victim networks that had been initially breached via successful exploitation of internet-facing VMware Horizon servers, Cisco Talos said in a report shared with The Hacker News.
“While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely,” Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said.
Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives.
Like other umbrella collectives Winnti and MuddyWater, the state-sponsored hacking collective also has “spin-off” groups such as Bluenoroff and Andariel, which focus on specific kinds of attacks and targets.
While the Bluenoroff subgroup is focused on attacking foreign financial institutions and perpetrating monetary theft, Andariel is devoted in its pursuit of South Korean organizations and businesses.
“Lazarus develops their own attack tools and malware, can use innovative attack techniques, works very methodically, and takes their time,” cybersecurity firm NCC Group said in a report detailing the threat actor.
“In particular, the North Korean methods aim to avoid detection by security products and to remain undetected within the hacked systems for as long as possible.”
The latest addition to its wide-ranging malware toolset shows the group’s ability to employ a multitude of tactics and techniques depending on their targets and their operational goals.
A C++-based implant, MagicRAT is designed to achieve persistence by creating scheduled tasks on the compromised system. It’s also “rather simple” in that it provides the attacker with a remote shell to execute arbitrary commands and carry out file operations.
MagicRAT is also capable of launching additional payloads retrieved from a remote server on infected hosts. One of the executables retrieved from the command-and-control (C2) server takes the form of a GIF image file, but in reality is a lightweight port scanner.
Furthermore, the C2 infrastructure associated with MagicRAT has been found harboring and serving newer versions of TigerRAT, a backdoor formerly attributed to Andariel and is engineered to execute commands, take screenshots, log keystrokes, and harvest system information.
Also incorporated in the latest variant is a USB Dump feature that allows the adversary to hunt for files with specific extensions, alongside laying the groundwork for implementing video capture from webcams.
“The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide,” the researchers said.