North Koreas Lazarus APT Uses GUI Framework to Build Stealthy RAT

  /     /     /  
Publicated : 23/11/2024   Category : security


North Koreas Lazarus APT Uses GUI Framework to Build Stealthy RAT


The worlds most notorious threat actor is using an unprecedented tactic for sneaking spyware into the IT networks of important companies.



In recent attacks against healthcare organizations and an Internet infrastructure company,
North Koreas famous Lazarus Group
deployed a new, ultra-compact, highly evasive remote access Trojan (RAT) called QuiteRAT.
QuiteRAT is an upgraded version of another RAT the group deployed in 2022, MagicRAT, itself a follow-up from 2021s TigerRAT. QuiteRAT can pilfer information about its host machine and user, as well as run commands, and at just four to five megabytes, it hardly makes a noticeable imprint in a target network.
Most interesting of all, however, is that QuiteRAT is built on Qt, a framework for designing graphical user interfaces (GUIs), which it wears like a costume to sneak past malware detection tools.
In February — five days after the disclosure of proofs-of-compromise (PoCs) relating to the 9.8 Critical-rated
CVE-2022-47966
, a
remote code execution (RCE) vulnerability for Zoho ManageEngine
— Lazarus exploited ManageEngine ServiceDesk to infiltrate healthcare organizations in the US and UK, as well as a UK-based Internet backbone infrastructure provider, according to a new report from Cisco Talos. It was during these attacks that it first put QuiteRAT to the test.
In April 2022, Lazarus Group compiled the latest known version of MagicRAT, a Trojan which stood out not because of what it did, but what it was made of.
MagicRAT was statically linked to Qt, an open source, cross-platform software for creating graphical user interfaces. As
Talos wrote at the time
, The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.
To be clear: there was no graphical component to the malware. So why make that choice? Firstly, they might be using it because its an incredibly versatile framework. It gives you a huge amount of options by being platform-agnostic, says Asheer Malhotra, threat researcher for Cisco Talos.
Secondly, because the Qt framework is used in predominantly benign applications, this might also be a way of evading detections, he explains. On a typical host machine, there are heuristic detection mechanisms that look for specific frameworks and specific malware files. And based on that, they make a call as to whether this file or executable is malicious or not. The introduction of the Qt framework reduces the possibility of heuristic detection.
Lazarus will churn out implants at the speed of light, Malhotra marvels. Almost every year theyll come up with two or three new types of implants, and they will keep using them as long as they see some success. And they see very few disclosures for these implants. When these implants are finally disclosed, they will either start authenticating them, or they will move on to newer implants that they have in the development pipeline.
QuiteRAT, first discovered in February, is the successor to MagicRAT. It lacks any built-in persistence mechanism, which MagicRAT achieved with the ability to set up scheduled tasks (QuiteRAT must be granted such power via a C2 server). However, it makes up for that shortcoming by being significantly more compact — just 4 to 5 megabytes, on average, compared to MagicRATs 18 megabytes.
18 megabytes is quite a lot for an application — especially a malware that is trying to be as stealthy as possible. That leaves a huge footprint on a computer, Malhotra explains. It was so large because MagicRAT embedded the entire Qt framework.
In QuiteRAT, only a handful of relevant, required libraries survived. And thats very helpful, because you want to keep your footprint as small as possible, he says.
Besides slimming down, QuiteRAT resembles its predecessor in just about every other way. Both perform limited reconnaissance on entering a machine before planting a remote shell and granting its proprietors the ability to edit, move, and delete files, or run arbitrary commands. The two also use similar tactics for obfuscating code and entering into sleep states.
Whether Lazarus sneakiest, tiniest RAT will pop up in more campaigns to come remains to be seen. The larger concern, perhaps, is that its cleverest ideas will provide inspiration for more threat actors down the line.
Historically, weve seen that what happens in the APT space usually makes its way into the private space. Less sophisticated threat actors will pick up on tools, techniques, and tactics. So there is a possibility that the Qt framework is picked up by other malware authors and other APT groups, Malhotra warns, adding theres been no evidence of that happening just yet.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
North Koreas Lazarus APT Uses GUI Framework to Build Stealthy RAT