Magicrat

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, and even hold data hostage for ransom. The Lazarus group, known for its use of custom malware, has been linked to both MagicRAT and its derivative, QuiteRAT. In May 2023, the Lazarus Group began deploying QuiteRAT, a smaller, more compact Qt-based implant that's clearly an evolution of MagicRAT. North Korean coders managed to reduce the size of this Trojan to 5 megabytes from MagicRAT's original 18MB by incorporating only a handful of required Qt libraries instead of the entire framework. Both Trojans are based on the Qt open-source development framework, which makes machine learning and heuristic analysis detection tools less reliable since Qt is rarely used in malware development. The campaign introduced several new malware families such as YamaBot and MagicRat, along with updated versions of NukeSped and DTrack. Significant similarities were also found between EarlyRAT and Lazarus' MagicRAT tool, indicating a potential shift in tactics and possible involvement of inexperienced operators. The use of non-traditional frameworks like Qt in malware authoring, as seen in MagicRAT and QuiteRAT, represents a definitive shift in techniques, tactics, and procedures (TTPs) from APT groups under the Lazarus umbrella.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Quiterat	4	QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
Earlyrat	2	EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
Ninerat	1	NineRAT is a malware strain developed by the Lazarus group, and it was first used in Operation Blacksmith in March 2022 against a South American agricultural organization. The malware was initially built around May 2022 and was later observed being utilized in September against a European manufactur

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Apt

Trojan

State Sponso...

Implant

Cisco

Talos

Manageengine

Exploits

Log4j

Exploit

Vulnerability

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Collectionrat	Unspecified	1	CollectionRAT is a newly identified malware, discovered by cybersecurity researchers who traced its origins through reused infrastructure components. This malicious software, short for Malware, is designed to exploit and damage computers or devices, often infiltrating systems via suspicious download
Dtrack	Unspecified	1	DTrack is a type of malware, or malicious software, known for its destructive capabilities. It can infiltrate systems through dubious downloads, emails, or websites and wreak havoc by stealing personal information, disrupting operations, or holding data hostage for ransom. Notably, DTrack was utiliz

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lazarus Group	Unspecified	4	The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Stonefly	Unspecified	1	Stonefly, also known as Andariel or Silent Chollima, is a threat actor group believed to be linked with the North Korean government. Active since at least 2015, Stonefly has been involved in numerous attacks, including several attributed to the North Korean state-sponsored operation Lazarus. The gro
Andariel	Unspecified	1	Andariel, a notorious threat actor associated with the Lazarus Group and linked to North Korea, is known for its malicious cyber activities. The group has been identified using DTrack malware and Maui ransomware, notably in mid-2022, and has developed a reputation for exploiting ActiveX objects. Res

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Magicrat Quiterat	Unspecified	1	None
CVE-2022-47966	Unspecified	1	CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of

Source Document References

Information about the Magicrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
Securityaffairs	7 months ago	Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU	7 months ago	Lazarus Cryptocurrency Hacks Estimated To Be $3 Billion
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
BankInfoSecurity	a year ago	New Malware by Lazarus-Backed Andariel Group Exploits Log4j
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Attacks by Lazarus sub-group involve novel EarlyRAT malware
BankInfoSecurity	a year ago	Lazarus Group Debuts Tiny Trojan for Espionage Attacks
CERT-EU	a year ago	Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign
CERT-EU	a year ago	Cyber Security Week in Review: August 25, 2023
CERT-EU	a year ago	North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw
CERT-EU	a year ago	North Korea threat group exploiting ManageEngine ServiceDesk bug
Securityaffairs	a year ago	Lazarus APT exploits Zoho ManageEngine flaw to target an Internet backbone infrastructure provider
CERT-EU	a year ago	Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
CERT-EU	a year ago	Hackers use public ManageEngine exploit to breach internet org
CERT-EU	a year ago	Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
CERT-EU	a year ago	Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc
CERT-EU	a year ago	Andariel’s silly mistakes and a new malware family – Cyber Security Review
CERT-EU	a year ago	Log4j bug exploited to push novel EarlyRat malware
CERT-EU	a year ago	Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware
CERT-EU	a year ago	New Malware Alert: EarlyRAT Linked to North Korean Hacking Group