One of North Korea’s most prominent cyberespionage groups has been using two new remote access trojans (RATs) in attack campaigns this year, researchers warn. One of the operations targeted internet backbone infrastructure and healthcare organizations from Europe and the United States.

“Lazarus Group remains highly active, with this being their third documented campaign in less than a year,” researchers from Cisco Talos said in a new report. “In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada, and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called ‘MagicRAT,’ along with known malware families VSingle, YamaBot, and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.”

An evolution of MagicRAT

In a campaign from earlier this year, the Talos researchers observed the group deploy a new RAT that appears to be a much more streamlined variant of MagicRAT. The researchers dubbed the new program QuiteRAT and saw it deployed in attacks that exploited a critical remote code execution vulnerability in ManageEngine ServiceDesk tracked as CVE-2022-47966.

Lazarus (APT38) is one of the North Korean government’s state-run hacking teams that is tasked with cyberespionage and sabotage. Its operations span back many years, but it also shares some of the toolset and infrastructure with other North Korean APT groups.

According to Talos, the Lazarus attackers started exploiting CVE-2022-47966 within days of a proof-of-concept exploit becoming available in January. One of the victims was an internet backbone infrastructure provider in Europe whose server was backdoor with a new malware program that researchers hadn’t seen before — QuiteRAT.

QuiteRAT has many similarities to MagicRAT, which is a known Lazarus tool, but is much smaller and lacks a built-in persistence mechanism. Like MagicRAT, QuiteRAT was created with the Qt framework, an open-source platform for developing cross-platform applications that has gained popularity for the ease of creating graphical user interfaces (GUIs).