Collectionrat

Malware updated 15 days ago (2024-11-29T14:02:24.598Z)
Download STIX
Preview STIX
CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus subgroup, Andariel. The North Korean state-sponsored threat actor Lazarus Group has been using CollectionRAT to target healthcare entities in Europe and the United States, exploiting a now-patched vulnerability (CVE-2022-47966) affecting Zoho ManageEngine ServiceDesk to deploy QuiteRAT and CollectionRAT malware. Upon execution on a vulnerable host, CollectionRAT collects system information to fingerprint the victim's environment and sends it to the Command and Control (C2) server. It operates like most RATs by allowing the attacker to run arbitrary commands and manage files on the infected system. Additionally, it gathers metadata and can deliver additional payloads. These capabilities make CollectionRAT a potent tool for cyber espionage and disruption of operations, posing a significant threat to targeted organizations. In response to the growing threat posed by CollectionRAT and other malware types such as RustBucket, KANDYKORN, SmoothOperator, ObjCShellz, Fullhouse, POOLRAT, PondRAT, OdicLoader, and Comebacker, prevention and detection alerts have been implemented. Authorities continue to monitor the activities of the Lazarus Group and other associated Advanced Persistent Threat (APT) actors closely while encouraging organizations to maintain robust cybersecurity measures to protect against these threats.
Description last updated: 2024-09-10T03:17:20.151Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Earlyrat Malware is associated with Collectionrat. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with Collectionrat. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
3
The Andariel Threat Actor is associated with Collectionrat. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In somUnspecified
2