Magicrat

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, and even hold data hostage for ransom. The Lazarus group, known for its use of custom malware, has been linked to both MagicRAT and its derivative, QuiteRAT. In May 2023, the Lazarus Group began deploying QuiteRAT, a smaller, more compact Qt-based implant that's clearly an evolution of MagicRAT. North Korean coders managed to reduce the size of this Trojan to 5 megabytes from MagicRAT's original 18MB by incorporating only a handful of required Qt libraries instead of the entire framework. Both Trojans are based on the Qt open-source development framework, which makes machine learning and heuristic analysis detection tools less reliable since Qt is rarely used in malware development. The campaign introduced several new malware families such as YamaBot and MagicRat, along with updated versions of NukeSped and DTrack. Significant similarities were also found between EarlyRAT and Lazarus' MagicRAT tool, indicating a potential shift in tactics and possible involvement of inexperienced operators. The use of non-traditional frameworks like Qt in malware authoring, as seen in MagicRAT and QuiteRAT, represents a definitive shift in techniques, tactics, and procedures (TTPs) from APT groups under the Lazarus umbrella.
What's your take? (Question 1 of 5)
08325c35-1dcb-4806-9f5a-bba02bd8b3ce Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Quiterat
4
QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
Earlyrat
2
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Trojan
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Lazarus GroupUnspecified
4
The Lazarus Group, also known as Diamond Sleet, is a notorious threat actor attributed to numerous cyber-attacks and illicit activities. This group is associated with North Korea and has been implicated in several high-profile incidents, including Operation DreamJob in Spain, which was attributed to
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Magicrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
CERT-EU
9 months ago
North Korea's Lazarus APT Uses GUI Framework to Build Stealthy RAT
CERT-EU
9 months ago
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
BankInfoSecurity
9 months ago
Lazarus Group Debuts Tiny Trojan for Espionage Attacks
CERT-EU
a year ago
Log4j bug exploited to push novel EarlyRat malware
CERT-EU
a year ago
Kaspersky crimeware report: Andariel’s mistakes and EasyRat malware
InfoSecurity-magazine
9 months ago
Lazarus Targets Internet Infrastructure and Healthcare with QuiteRAT
CERT-EU
a year ago
Andariel APT Hackers Drop a New Malware On Windows Via Weaponized MS Word Doc
CERT-EU
9 months ago
North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw
CERT-EU
9 months ago
North Korea threat group exploiting ManageEngine ServiceDesk bug
Securityaffairs
6 months ago
Operation Blacksmith: Lazarus exploits Log4j flaws to deploy DLang malware
CERT-EU
9 months ago
Hackers use public ManageEngine exploit to breach internet org
CERT-EU
a year ago
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group
CERT-EU
9 months ago
IT threat evolution Q2 2023
CERT-EU
9 months ago
Cyber Security Week in Review: August 25, 2023
BankInfoSecurity
a year ago
New Malware by Lazarus-Backed Andariel Group Exploits Log4j
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
6 months ago
Lazarus Cryptocurrency Hacks Estimated To Be $3 Billion
Securityaffairs
a year ago
North Korean Andariel APT used a new malware named EarlyRat
CERT-EU
a year ago
Andariel’s silly mistakes and a new malware family – Cyber Security Review