Connect with us

Hi, what are you looking for?



North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw

North Korea-linked Lazarus Group exploited a ManageEngine vulnerability to compromise an internet backbone infrastructure provider.

The North Korea-linked advanced persistent threat (APT) actor Lazarus Group has been observed exploiting a Zoho ManageEngine vulnerability to compromise an internet backbone infrastructure provider in Europe, Cisco’s Talos security researchers report.

The attack occurred in early 2023, roughly five days after proof-of-concept (PoC) exploit code targeting the ManageEngine flaw, which is tracked as CVE-2022-47966 (CVSS score of 9.8), was published.

Identified in the Apache xmlsec (XML Security for Java) third-party dependency, the issue can be exploited for unauthenticated, remote code execution. In November 2022, Zoho announced patches for over 20 impacted on-premises products.

Lazarus was seen exploiting CVE-2022-47966 to deploy a new remote access trojan (RAT) variant called QuiteRAT, which Cisco’s researchers believe is a derivative of the known Lazarus-linked MagicRAT.

Once executed on a compromised machine, QuiteRAT harvests system information and sends it to the attackers’ server, and then waits for commands to execute.

The malware allows the attackers to perform further system reconnaissance, as well as to achieve persistence by issuing a command to modify the Windows registry. QuiteRAT also allows the attackers to deploy additional malware.

Built using the Qt framework, QuiteRAT is much smaller in size compared to MagicRAT, mainly because it incorporates fewer Qt libraries and has no persistence mechanism implemented.

Advertisement. Scroll to continue reading.

The researchers observed various other similarities between the two malware families, including the implementation of the same abilities, such as support for executing commands on the infected machine.

“Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server,” Cisco notes.

According to the researchers, Lazarus appears to have dropped MagicRAT (the latest known variant was compiled in April 2022) and replaced it with QuiteRAT in more recent attacks.

In addition to the internet backbone infrastructure company, Lazarus was also seen targeting healthcare entities in Europe and the US, Cisco notes.

Related: North Korea’s Lazarus Targets Energy Firms With Three RATs

Related: FBI Finds 1,580 Bitcoin in Crypto Wallets Linked to North Korean Hackers

Related: North Korean Hackers Targeted Russian Missile Developer

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...