Researchers have attributed the notorious North Korean state-sponsored threat group, Lazarus, to a newly discovered remote access trojan called MagicRAT. The previously unidentified malware has been deployed in targeted networks that hackers had initially infiltrated by abusing internet-facing VM Horizon servers.
Today, the Lazarus group has a couple of branch groups designated to execute specific attacks on selected targets, called Andariel and Bluenoroff.
Bluenoroff is focused on attacking financial institutions overseas and orchestrating monetary theft campaigns. On the other hand, Andariel prioritises targeting South Korean entities, especially businesses.
According to researchers, Lazarus creates its attack kits and payloads that it can utilise to execute innovative attack techniques and work efficiently. The prime example is the state-sponsored actors aimed to bypass detection by security products and stay undetected within the compromised systems for an extended period.
The latest inclusion of its malware toolset implies that the group could adopt numerous strategies and techniques depending on their targets and objectives.
Lazarus created MagicRAT mainly for establishing persistence in their targeted system.
MagicRAT aims to achieve persistence through developing scheduled tasks on the compromised system via a C++-based implant. The malware is also a simple payload that enables the attacker to gain remote shell execution for arbitrary commands and run file operations.
The malware could launch additional payloads recovered from a remote server on infected hosts. One of the payloads retrieved from the C2 server is a GIF image file, but in reality, it is a malicious lightweight port scanner.
Additionally, the command-and-control infrastructure affiliated with the malware has been discovered to accommodate and serve newer variants of TigerRAT.
This remote access trojan is formerly linked to Andariel and is designed to capture screenshots, log keystrokes, execute commands, and harvest system data.
TigerRAT has also incorporated in the recent variant a USB Dump functionality that enables the threat actors to search for other files with specific extensions. In addition, it can pave the way for video capturing tools from webcams.