North Korean cybercrime operation Lazarus Group, also known as APT38, Hidden Cobra, Dark Seoul, and Zinc, has been using the new MagicRAT malware in attacks against networks that have been compromised through vulnerable VMware Horizon servers, according to The Hacker News.
Despite being a fairly C++-based implant, MagicRAT has been leveraging the Qt Framework to better evade human analysis and detection by machine learning technologies, Cisco Talos researchers reported. The report also showed that aside from establishing scheduled tasks to achieve persistence on impacted systems, the malware could also facilitate the deployment of more payloads from a remote server, one of which is a lightweight port scanner purporting to be a GIF image file.
Newer versions of the TigerRAT backdoor linked to Lazarus spinoff Andariel has also been found in MagicRAT's command-and-control infrastructure.
"The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide," researchers added.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.