Security researchers have discovered a new remote access Trojan (RAT) being used in attack campaigns this year by Lazarus, a threat actor tied to the North Korean government. The new RAT has been used alongside other malware implants attributed to Lazarus and it’s mainly used in the first stages of an attack.
Dubbed MagicRAT, the new Lazarus malware program was developed using Qt, a framework commonly used to develop graphical user interfaces for cross-platform applications. Since the Trojan doesn’t have a GUI, researchers from Cisco Talos believe the reason for using Qt was to make detection harder.
“Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder,” the Cisco researchers said in their report. “On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.”
How the MagicRAT malware works
In addition to using Qt classes throughout its entire codebase, MagicRAT also stores configuration data such as three encoded command-and-control URLs inside a QSettings class. Once deployed, it creates two scheduled tasks to achieve persistence at system reboot and copies a shortcut file with the name OneNote in the startup folder.
The Trojan then collects system information using command-line tools and uploads the resulting file to the C2 servers. Attackers can connect remotely to MagicRAT and obtain shell access on the system that allows them to perform additional hands-on hacking.
The researchers also found other malware payloads on the C2 servers that were hidden as GIF files. These included a lightweight port scanner and a more complex RAT called TigerRAT that has been attributed to the Lazarus group since 2021.
In addition to command execution, TigerRAT provides attackers with screen capture, SOCKS proxy tunneling, keylogging and file management capabilities. The latest variants also have a feature called USB Dump that allows attackers to search for files with certain extensions in a specified folder, archive the found files and upload the archive to the C2. This could be a data exfiltration feature targeting attached USB storage devices.
MagicRAT also gained the ability to delete itself from a system via an executable BAT file in the more recent versions. This is in line with the theory that the Trojan is only used in the first stages of attack for reconnaissance and the deployment of additional payloads on interesting victim machines. This could also explain why it hasn’t been identified before even though the attack campaign in which it has been used went on for months and has been documented by multiple security firms and CERTs this year.
Log4Shell exploits hitting VMware Horizon
According to Cisco Talos, MagicRAT has been used alongside other previously documented Lazarus malware implants such as VSingle in attacks that exploited the Log4Shell vulnerability on publicly facing VMware Horizon servers between February and July.
Log4Shell is a critical vulnerability found and patched in November 2021 in a popular Java library called log4j that’s used in millions of applications. CISA issued an alert in June warning organizations that multiple threat actors are targeting unpatched VMware Horizon servers via the Log4Shell flaw. In July, the agency released additional indicators of compromise from its incident response engagements.
The attacks seen by Cisco Talos have some overlap with the IOCs released by CISA and targeted energy companies from the U.S., Canada and Japan with the likely goal of establishing long-term access and conducting espionage.
Once the attackers exploited Log4Shell, they use the VMware node.exe file to execute their own command-line script to open an interactive reverse shell that would run with the privileges of VMware Horizon — typically administrator. In some cases, the attackers used PowerShell scripts. In all cases the attackers deployed VSingle, a backdoor-type malware program that has been associated with Lazarus attacks since 2021.
VSingle is used for reconnaissance, data exfiltration and manual backdooring of systems by adding additional local administrative accounts and accounts with remote desktop access. It is also used to deploy SSH tunneling and proxy tools. The Trojan can download and execute additional plug-ins from the C2 server that are also shellcode or script files in various formats.
In several cases, the attackers used VSingle to deploy Impacket, a collection of Python classes for working with network protocols. This is used to perform lateral movement inside Active Directory environments.
In one case, the researchers observed MagicRAT being deployed alongside VSingle while in another case VSingle was accompanied by YamaBot, a Trojan program written in Go that was recently attributed to Lazarus by Japan’s JPCERT.
In addition to reconnaissance, lateral movement and the deployment of custom implants, the Lazarus attacks also involved credential harvesting from local systems using various tools like Mimikatz and Procdump, exfiltration of Active Directory data, the disabling Windows Defender, setting up SOCKs proxies, and more. The Cisco Talos report contains a detailed list of observed tactics, techniques and procedures (TTPs) as well as IOCs associated with this attack campaign.