One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6766837 |
| Date de publication | 2022-09-07 08:01:43 (vue: 2022-09-07 13:06:08) |
| Titre | MagicRAT: Lazarus\' latest gateway into victim networks |
| Texte |  By Jung soo An, Asheer Malhotra and Vitor Ventura.Cisco Talos has discovered a new remote access trojan (RAT) we're calling "MagicRAT," developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.We've also found links between MagicRAT and another RAT known as "TigerRAT," disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.TigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog. Executive SummaryCisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.We have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.Actor profile |
| Envoyé | Oui |
| Condensat | /all /appdata/roaming/microsoft/windows/start /create /ru /sc /st /tn /tr 102 106 10:30:30 12464 139 154 188 193 1991 1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7ff32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76ca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5port 202 2020 2021 2022 25152 73/adm 73/board/logo 73/board/mfcom1 73/board/pct 73/board/tour 73151 :// ability access accessing achieves achieving activity actor actors actually adaptive add added adding additional additionally adm advanced after agency ahnupdate all along also amp analysis analysismagicratmagicrat analytics analyzed another any appdata appliance appliances april apt arbitrary arc archive are arguments: arj asheer assesses associated attackers attacks attributed attributing attribution authentication author authorized authors automated automatically autoremove available base64 based bat been before being believes believing below bespoke between binaries bit block blocks blog bord/login build builds built but bytetiger c++ c:/temp/ called calling cameras campaign campaigns can capabilities capability capture center change check chosen cisa cisco class classes click cmd code com com/board/index command commands commonly communication company compiled complex complexity compromised computer conducted confidence configuration connect connecting connection consisted consists contacts containing contains contents context control corporate coverageways create created creates current custom customers cwd cyber daily dangerous data date defense defined del delete delete/uninstall deployed deployment detailed detailing detect detection detects determine developed developing dictating different directory disclosed discovered discovery disk distinct doc docx domains done download downloader downloading drive dtrack dump dumping dumpthe duo during dynamically either email emails encoded encrypted endpoint endpoint: endpoints enough ensure entire enumerate/delete environment eventually evidence evident evolved example examples exe executable execute executing execution executive exeimplant exfiltration existing exploitation exposed extensions extremely factor family file file: files finally find firepower firewall fits folder folder: followed formerly forwarding found framework free from functionalities functionality functions furthermore gateway gcc gdifontc gendoraduragonkgp126 general generated generation gif gifhxxp github gives government graphical grid group groups had hand hardcoded harder has hasn have here heuristic heuristics high holds home horizon host hosted hosting however htmlips193 human hwp hxxp ideally identified identifies identify illustrate image implant implants implemented implementing in include include:gather included including increase indication indicators infected infections info information information: infrastructure initial initially intent intentschtasks interface interfaces internet introduced ioc iocsthe ipconfig ips its itself jpcert jung just keylogging keys kisa kit known korea korean krcert language last latest launches lazarus learning less library light lightweight likely linking links linux list listed lnklink local located log lr02dpt22r lzh mac machine magicrat magicrat: magicratf6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332tigerratf78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c41f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392bffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06ebatigerrat main make makes making malhotra malicious malware malwareone management management: manager masquerading menu/programs/startup/onenote meraki microsoft mingw/cygwin mix moderate more motivations move multi must name names network networks new newer next ngfw none north now number objective observed obviously occasionally off older once one onedrive only onstart open operated operating operation op |
| Tags | Malware Threat Medical |
| Stories | APT 38 |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.