Quiterat

Malware updated 6 months ago (2024-05-04T18:36:49.782Z)

Download STIX

Preview STIX

QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack of a built-in persistence mechanism. Despite this, it retains significant capabilities such as arbitrary command execution, although it requires granting power via a C2 server for persistence. The Lazarus Group exploited a critical flaw in Zoho ManageEngine ServiceDesk Plus to deliver QuiteRAT. The Advanced Persistent Threat (APT) group used this vulnerability to deploy the malware, infecting victims through a now-patched Zoho bug. The attackers have been exploiting this vulnerability to deploy the remote access Trojan QuiteRAT, according to HHS HC3. Last month, Cisco Talos detailed an espionage campaign that appeared to trace back to North Korea's Lazarus Group. This campaign targeted the Zoho ManageEngine vulnerability to deploy QuiteRAT. The Lazarus Group has also deployed this new variety of remote-access Trojan on the networks of a European internet backbone infrastructure provider. Furthermore, the group has been targeting Internet Infrastructure and Healthcare sectors with QuiteRAT, indicating a broad and potentially devastating impact.

Description last updated: 2024-05-04T17:19:01.816Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Magicrat is a possible alias for Quiterat. MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Manageengine

Vulnerability

Implant

Curl

Reconnaissance

Trojan

Exploits

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Earlyrat Malware is associated with Quiterat. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Lazarus Group Threat Actor is associated with Quiterat. The Lazarus Group, also known as Hidden Cobra and Guardians of Peace, is a notorious threat actor attributed to North Korea. Their activities date back several years, with significant exploits including the "FASTCash" ATM cash-out scheme warned about by the US-CERT in October 2018. More recently, th	Unspecified	4

Source Document References

Information about the Quiterat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	10 months ago	Lazarus Group Is Still Juicing Log4Shell, Using RATs Written in 'D'
CERT-EU	10 months ago	Lazarus Cryptocurrency Hacks Estimated To Be $3 Billion
InfoSecurity-magazine	a year ago	Philadelphia Alerts Public to Recent Data Breach
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of internet infrastructure provider in Europe
BankInfoSecurity	a year ago	Feds Warn Health Sector of Lazarus Group Attacks
BankInfoSecurity	a year ago	Feds Urge Immediate Patching of Zoho and Fortinet Products
BankInfoSecurity	a year ago	Feds Urge Immediately Patching of Zoho and Fortinet Products
CERT-EU	a year ago	Weekendowa Lektura: odcinek 535 [2023-09-02]. Bierzcie i czytajcie \| Zaufana Trzecia Strona
CERT-EU	a year ago	Lazarus Employs Public ManageEngine Exploit to Breach Internet Firms \| IT Security News
BankInfoSecurity	a year ago	Lazarus Group Debuts Tiny Trojan for Espionage Attacks
CERT-EU	a year ago	Cyber Security Week in Review: August 25, 2023
CERT-EU	a year ago	Lazarus Group's infrastructure reuse leads to discovery of new malware - Cyber Security Review
CERT-EU	a year ago	North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw
InfoSecurity-magazine	a year ago	Lazarus Targets Internet Infrastructure and Healthcare with QuiteRAT
CERT-EU	a year ago	Lazarus Group Targets Internet Infrastructure and Healthcare with ‘QuiteRAT’ Malware \| IT Security News
CERT-EU	a year ago	North Korea threat group exploiting ManageEngine ServiceDesk bug
CERT-EU	a year ago	Lazarus APT exploits Zoho ManageEngine flaw to target an Internet backbone infrastructure provider \| IT Security News
CERT-EU	a year ago	Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
Securityaffairs	a year ago	Lazarus APT exploits Zoho ManageEngine flaw to target an Internet backbone infrastructure provider
CERT-EU	a year ago	Hackers use public ManageEngine exploit to breach internet org