Lazarus’ MagicRAT and TigerRAT

Summary

Cisco Talos has discovered a new remote access trojan (RAT), called “MagicRAT.” The Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA).

This RAT victimizes those who were initially compromised through the exploitation of publicly exposed VMware Horizon platforms¹. Armis customers with publicly-configured VMware Horizon platforms should be made specially aware of this threat.

The RAT was designed to make human analysis harder, and automated detection through machine learning and heuristics less likely². IOCs are limited, but the Armis tool can be leveraged against indicators.

Once MagicRAT is deployed on infected systems, it launches additional payloads such as port scanning. MagicRAT’s command and control infrastructure is also used to host newer variants of known Lazarus implants, called TigerRAT³.

Armis customers will want to know how to utilize Armis to look for these attacks and respond appropriately. Armis Threat Services cannot anticipate every attack situation or company business risk profile. We can give some insight as to the type of Armis Standard Query (ASQ) that may help customers look for active threats in their environment that can point to malicious activity due to the ongoing threat presented.

Threat Expectations

The North Korean state-sponsored Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan⁴. Cisco Talos has identified areas that are expected threats but are not necessarily all encompassing.

For the vast majority of Armis customers the industries listed below would likely be of concern:

1. Energy operations

Armis Queries

Below are examples of Armis queries which might be helpful in looking for malicious/anomalous activity. Please note that the queries below include a time frame of 7 days. If a customer decides to use these queries as policies please ensure that the 7 day time frame is removed prior to saving as a policy.

1.

in:ipConnections endpointA:(externalHost:193.56.28.251,52.202.193.124,64.188.27.73,151.106.2.139,66.154.102.91,104.155.149.103,40.121.90.194,185.29.8.162,146.4.21.94,46.183.221.109,84.38.133.145,109.248.150.13,155.94.210.11,192.186.183.133,54.68.42.4,84.38.133.145,213.180.180.154)

2.

in:devices timeFrame:"7 Days" services:(name:(193.56.28.251,52.202.193.124,64.188.27.73,151.106.2.139,66.154.102.91,104.155.149.103,40.121.90.194,185.29.8.162,146.4.21.94,46.183.221.109,84.38.133.145,109.248.150.13,155.94.210.11,192.186.183.133,54.68.42.4,84.38.133.145,213.180.180.154))

3.

in:activity timeFrame:"7 Days" type:"DNS Query" decisionData:(answerIps:193.56.28.251,52.202.193.124,64.188.27.73,151.106.2.139,66.154.102.91,104.155.149.103,40.121.90.194,185.29.8.162,146.4.21.94,46.183.221.109,84.38.133.145,109.248.150.13,155.94.210.11,192.186.183.133,54.68.42.4,84.38.133.145,213.180.180.154)

4.

in:activity type:"DNS Query" decisionData:(host:www.ajoa.org,www.orvi00.com,tecnojournals.com,semiconductboard.com,cyancow.com,mudeungsan.or.kr,www.easyview.kr,gendoraduragonkgp126.com) timeFrame:"7 Days"

5.

in:devices timeFrame:"7 Days" host:(serviceName:(www.ajoa.org,www.orvi00.com,tecnojournals.com,semiconductboard.com,cyancow.com,mudeungsan.or.kr,www.easyview.kr,gendoraduragonkgp126.com))

6.

in:ipConnections timeFrame:"7 Days" endpointA:(externalHost:(www.ajoa.org,www.orvi00.com,tecnojournals.com,semiconductboard.com,cyancow.com,mudeungsan.or.kr,www.easyview.kr,gendoraduragonkgp126.com))

Additional Guidance

Customers are encouraged to do proactive threat hunting in their environments to root out suspicious and/or malicious network traffic. It is expected that these attacks as well as others have a purpose to evade all current security defenses. Creating policies in Armis as outlined in this article and sending those alerts to a SOAR or SIEM for correlation will be beneficial in incident response activities. Lastly, baselining device activities over time can be beneficial in recognizing suspicious activity.

¹, ², ³ Cisco Talos, MagicRAT: Lazarus’ latest gateway into victim networks [website], https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html, (accessed 9 September 2022).
⁴The Register, Lazarus Group unleashed a MagicRAT to spy on energy providers [website], https://www.theregister.com/2022/09/08/lazarus_group_energy_firms_trade_secrets/, (accessed 9 September 2022).