Lazarus

Lazarus Group, a North Korean state-sponsored threat actor, has been active in the cybersecurity space for several years, engaging in various malicious activities. The group was notably implicated in the Sony hack and other cybercrimes that spanned over a five-year period starting from 2020, leading to charges being brought against three of its operatives by the U.S. In 2022, Cisco Talos observed Lazarus exploiting vulnerabilities in publicly exposed VMWare Horizon platforms to target energy companies worldwide through the use of MagicRAT. The group then started deploying a Trojan named QuiteRAT, a smaller version of MagicRAT, in May 2022. The Lazarus Group has continued to evolve its tactics and expand its targets. By May 2022, they were using an IP address (146.4.21.94) for their operations. They also began targeting healthcare entities in Europe and the United States, exploiting a now-patched vulnerability (CVE-2022-47966) in Zoho ManageEngine ServiceDesk to deploy QuiteRAT and CollectionRAT malware. Despite the exposure of their infrastructure by security researchers, the group continues to use much of the same components in their campaigns. Furthermore, analysis of malware samples attributed to Lazarus reveals connections to other malware families. One such connection is to Jupiter/EarlyRAT, which is linked to Andariel, a subgroup within the Lazarus Group umbrella of threat actors. This suggests a complex web of interconnected groups and malware tools operating under the Lazarus Group banner, demonstrating their persistent and sophisticated approach to cyber threats.