The Lazarus Hacker group, believed to be from North Korea, has been actively exploiting a critical vulnerability in the ZOHO ManageenGine software to launch attacks on numerous companies across different countries.
The malicious operation began at the start of this year, with the aim of compromising organizations in the United States and Great Britain, in order to establish a malicious backdoor and deploy the new Trojan Collectionrat.
The discovery of Collectionrat came after researchers analyzed the infrastructure used for the campaigns, which the hackers also utilized for other attacks.
Lazarus initially exploited the vulnerability known as CVE-2022-47966 for remote code execution, just 5 days after it was published by the Horizon3 research team.
In the second half of 2022, the group used Magicrat in their attacks, causing significant damage to energy companies in the USA, Canada, and Japan.
In February 2023, researchers discovered the new malicious Trojan, Quiterat. Described as a simple but powerful remote access Trojan, it represents a significant advancement compared to Magicrat.
In a separate report, released by Cisco Talos today, it was revealed that the Lazarus hackers have used a new Trojan named Collection in their latest attacks. Associated with the Earlyrat family, Collection boasts extensive capabilities.
Functionality of Collection includes executing arbitrary commands, managing files, gathering system information, creating reverse shells, spawning new processes, sampling and launching new payloads, and even self-replication.
Notably, Collection incorporates the Microsoft Foundation Class (MFC) framework, allowing the Trojan to dynamically decrypt and execute its code, evading detection and hindering analysis.
Further evidence of Lazarus’ evolution in tactics, methods, and procedures, as observed by Cisco Talos, involves the widespread use of open-source tools and frameworks. For instance, Mimikatz is utilized for credential theft, Putty Link (PLINK) for remote tunneling, and deimosC2 for communication with a command and control server.
This approach enables