Lazarus Group fields new malware.
By Tim Nodar, CyberWire senior staff writer
Aug 25, 2023

The DPRK's Lazarus Group has some new tactics, and a new attack tool.

Lazarus Group fields new malware.

Researchers at Cisco Talos observe that the “Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.”

CollectionRAT enters the Lazarus Group toolkit.

Cisco Talos has discovered a new remote access Trojan, “CollectionRAT,” that’s being used by North Korea’s Lazarus Group: “CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors.”

Ransomware may get the column inches, but RATs are also out and about.

Erich Kron, Security Awareness Advocate at KnowBe4, commented: “While a lot of attention focuses on threats such as ransomware, Remote Access Trojans (RATs) are still alive and well in the cybercrime world. Whether they're being deployed for use by their own groups, as in the case of Lazarus, or being deployed and that access sold by initial access brokers, the resulting intrusion can still cause significant harm to organizations. These types of RATs are spread through various means such as unpatched software and through email, so organizations should ensure they are patching as soon as possible, especially when a device is internet-facing, and that users are educated in how to spot and report phishing attacks. While not as newsworthy as a ransomware infection, a lot of damage can still be done through one of these infections, and organizations should take the threat very seriously.”