hawk-eye.io Open in urlscan Pro
2606:4700:20::ac43:48f4  Public Scan

Form analysis
1 forms found in the DOM

GET https://hawk-eye.io/

<form method="get" id="searchform" class="search-form" action="https://hawk-eye.io/" role="search">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s" x-webkit-speech="">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or
content, and analyze our traffic. By clicking "Accept All", you consent to our
use of cookies.

Customize Reject All Accept All
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions.
You will find detailed information about all cookies under each consent category
below.

The cookies that are categorized as "Necessary" are stored on your browser as
they are essential for enabling the basic functionalities of the site. ... Show
more

NecessaryAlways Active

Necessary cookies are required to enable the basic features of this site, such
as providing secure log-in or adjusting your consent preferences. These cookies
do not store any personally identifiable data.

No cookies to display.

Functional

Functional cookies help perform certain functionalities like sharing the content
of the website on social media platforms, collecting feedback, and other
third-party features.

No cookies to display.

Analytics

Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics such as the number of
visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance

Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.

No cookies to display.

Advertisement

Advertisement cookies are used to provide visitors with customized
advertisements based on the pages you visited previously and to analyze the
effectiveness of the ad campaigns.

No cookies to display.

Reject All Save My Preferences Accept All
 * CSOC and XDR
   * Features
   * Capabilities
   * Process
 * Integrations
 * Packages
   * Remote
   * Lite
   * Baseline
   * Advanced
   * Premium
   * ICS / OT
 * CSOC WIKI
 * Adversarial SecOps
 * Pricing
   * SIEM Sizing Calculator
 * Blogs
 * Partners
 * Careers

Contact



LAZARUS EXPLOITS A ZOHO MANAGEENGINE VULNERABILITY TO DISTRIBUTE QUITERAT AND
COLLECTIONRAT

September 22, 2023
Cybersecurity, Vulnerability Assessment

A recently fixed vulnerability (CVE-2022-47966) affecting Zoho ManageEngine
ServiceDesk Plus has been used by Lazarus, a North Korean state-sponsored APT
group, to spread the remote access trojan QuiteRAT.


BACKGROUND

According to a report recently published by Cisco Talos, the attack began
earlier this year. In the United States and the United Kingdom, it was intended
to compromise suppliers of internet backbone infrastructure and healthcare
organizations. Further investigation revealed that the attack was designed to
distribute the QuiteRAT malware and a recently found remote access trojan (RAT),
which the team named CollectionRAT. Early in 2023, when the North Korean
organization utilized an exploit for CVE-2022-47966, a pre-authentication remote
code execution vulnerability impacting a number of Zoho ManageEngine products,
Cisco Talos researchers learned about the attack against UK internet service
providers.


TECHNICAL ANALYSIS

CVE-2022-47966:

Unauthenticated RCE vulnerability CVE-2022-47966 affects Zoho ManageEngine
products including ServiceDesk Plus, Password Manager Pro, and ADSelfService
Plus. These products have been the target of public attacks during the previous
12 months. Depending on the specific ManageEngine product and whether or not its
SAML single-sign-on is active, or has ever been enabled, the vulnerability—a
pre-authentication remote code execution—can be exploited. The usage of Apache
xmlsec 1.4.1, often known as XML Security for Java, is responsible for this.

QUITERAT:

The researchers classified QuiteRAT, which was discovered in February 2023, as a
successor of MagicRAT, a remote access trojan that the North Korean group also
used in the second half of 2022 to target energy suppliers in Japan, Canada, and
the United States. Averaging about 4 to 5 MB in size, QuiteRAT is a lot smaller
implementation than MagicRAT, which is a larger, bulkier malware family. This
substantial difference in size is caused by the fact that Lazarus Group only
incorporated a small subset of the necessary Qt libraries into QuiteRAT as
compared to the whole Qt framework in MagicRAT. Furthermore, QuiteRAT lacks a
persistence capability and requires one to be provided by the C2 server in order
to continue operating on the infected endpoint, in contrast to MagicRAT, which
has persistence mechanisms built into it via the ability to set up scheduled
activities. This is another element that contributes to QuiteRAT’s lower size.
The inclusion of Qt increases the complexity of the code, which makes human
analysis more difficult, as shown with the MagicRAT malware from Lazarus Group.
Since Qt is rarely utilized in malware development, using it significantly
reduces the accuracy of machine learning and heuristic analysis detection.
Capabilities of QuiteRAT include Self-deletion, Launching and fetching new
payloads, New process spawning, Reverse shell creation, System information
gathering, File management, and Arbitrary command execution. The group’s
penchant for reusing infrastructure not only allowed researchers to link these
most recent attacks to Lazarus but also allowed them to identify additional
malware they utilize (notably, CollectionRAT).

COLLECTIONRAT:

According to a different report from Cisco Talos, the North Korean hacking group
is using a new malware dubbed CollectionRAT, which the research team found after
looking at the infrastructure, the attackers had previously used in past
attacks. CollectionRAT is a Windows binary that is bundled with the Microsoft
Foundation Class (MFC) library and instantly decrypts and runs the malicious
code. The researchers said that MFC, which is typically used to design the user
interfaces, controls, and events for Windows applications, “allows many
components of malware to smoothly operate with one other while abstracting the
core implementations of the Windows OS from the authors.

Operational links between the various malware implants. (Source: Talos)

The extensive use of open-source tools and frameworks, such as DeimosC2 for
control and command communication, PuTTY Link (Plink) for remote tunneling, and
Mimikatz for credential theft, are among the additional indications of evolution
in the North Korean group’s procedures, techniques, and tactics that Cisco has
listed.


INFECTION CHAIN:

QUITERAT:

To get started, the actors used a ManageEngine ServiceDesk instance that was
vulnerable. The successful attack caused the Java runtime process to immediately
download and launch a malicious payload. If the malware is downloaded
successfully, the Java process will then execute the QuiteRAT binary, activating
the implant on the compromised server. As soon as the implant begins to operate,
it sends out basic system data to its command and control (C2) servers and then
waits for a response from the C2 with either a command code to execute or an
actual Windows command to execute on the endpoint through a child cmd.exe
process. There is no in-built persistence mechanism in QuiteRAT. Persistence for
the implant is achieved via the registry by issuing the following command to
QuiteRAT: C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type=
own type= interact start= auto error= ignore binpath= cmd /K start
c:\users\public\notify[.]exe

Infection chain (Source: Talos)

COLLECTIONRAT:

In the beginning, CollectionRAT collects system data in order to fingerprint the
infection and transmit it to the C2 server. It then gets instructions from the
C2 server to carry out a number of actions on the compromised machine. In order
to execute arbitrary instructions on the system, the implant has the capacity to
build a reverse shell. The implant has the ability to download and launch
additional payloads since it can read and write files from the disc and spawn
new processes. When instructed by the C2, the implant can also delete itself
from the endpoint. To register the infection, the basic system data is
transferred to the C2 server, which then sends instructions to the implant.


IOCS:

ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6
db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984
773760fd71d52457ba53a314f15dddb1a74e8b2f5a90e5e150dea48a21aa76df
05e9fe8e9e693cb073ba82096c291145c953ca3a3f8b3974f9c66d15c1a3a11d
e3027062e602c5d1812c039739e2f93fc78341a67b77692567a4690935123abe
146[.]4[.]21[.]94 109[.]248[.]150[.]13 108[.]61[.]186[.]55:443
hxxp[://]146[.]4[.]21[.]94/tmp/tmp/comp[.]dat
hxxp[://]146[.]4[.]21[.]94/tmp/tmp/log[.]php
hxxp[://]146[.]4[.]21[.]94/tmp/tmp/logs[.]php
hxxp[://]ec2-15-207-207-64[.]ap-south-1[.]compute[.]amazonaws[.]com/resource/main/rawmail[.]php
hxxp[://]109[.]248[.]150[.]13/EsaFin[.]exe
hxxp[://]146[.]4[.]21[.]94/boards/boardindex[.]php
hxxp[://]146[.]4[.]21[.]94/editor/common/cmod
CollectionRAT Lazarus ManageEngine QuiteRAT Vulnerability Zoho
Search for:

RECENT POSTS

 * HookChain: A New Approach to Bypassing EDR Solutions
 * Critical RCE Vulnerabilites affecting Aruba Access Points
 * CVE-2024-38812: VMware vCenter Server RCE Vulnerability
 * September 2024 – Microsoft Patch Tuesday Highlights
 * Cicada – A new ransomware targeting VMware ESXi systems

CATEGORIES

 * Advanced Persistent Threat
 * Alert Advisory
 * Azure Sentinel
 * Breach Detection
 * Compromise Assessment
 * CVE
 * Cyber Security
 * Cyber Threat Intelligence
 * Cyber Threat Management
 * Cybersecurity
 * DARKINT
 * EDR
 * Email Security
 * Incident Response
 * Machine Learning
 * Malware Protection
 * Managed Security Services
 * Managed SOC Services
 * Middle East
 * News
 * OSINT
 * Phishing
 * Ransomware Protection
 * Reconnaissance Tools
 * Security Operations Center
 * Security Orchestration
 * SIEM
 * SOAR
 * Supply Chain Security
 * Threat Hunting
 * Threat Intelligence
 * Threat Modeling
 * UEBA
 * Vulnerability Assessment
 * XDR

TAGS

Advanced Persistent Threat Alert Advisory APT Cisco Critical Vulnerability CVE
Cyber Attacks Cyber Security Cybersecurity Cyber Threat Intelligence EDR Emotet
Fortinet Incident Response Ivanti LSASS Machine Learning Malware Managed CSOC
Managed SOC Managed SOC Abu Dhabi Managed SOC Bahrain Managed SOC Dubai Managed
SOC Kuwait Managed SOC London Managed SOC UAE Microsoft MITRE Palo Alto Patch
Tuesday Phishing Ransomware RCE RDP Security Operations Center SOC Threat
Detection and Response Threat Hunting Threat Modeling VMware Vulnerabilities
Vulnerability Vulnerability Assessment XDR Zero Day


YOU MAY ALSO LIKE

Alert Advisory, CVE, Cybersecurity, Vulnerability Assessment

CRITICAL FIXES FOR MARCH 2024 PATCH TUESDAY

Background Microsoft has issued Patch Tuesday for March 2024, fixing 61 security
flaws. Two vulnerabilities are categorized as critical in […]

Advanced Persistent Threat, Alert Advisory, Cyber Security, Middle East

ALERT ADVISORY: SUPPLY CHAIN ATTACK BY IRAN’S APT34 TARGETS THE UAE

An Iranian threat group called OilRig typically targets businesses in the Middle
East involved in various industries. Still, it has […]

Vulnerability Assessment

LOG4J CRITICAL RCE

The Log4j Vulnerability commonly known as Log4Shell zero day vulnerability was
made public on December 9th 2021. This vulnerability is […]


READY TO GET STARTED?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Contact Us


READY TO GET STARTED?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

Contact Us
 * 4, Oasis Center
   Sheikh Zayed Road
   Dubai, United Arab Emirates
 * +971 4 338 3365
 * hawkeye@dts-solution.com

Linkedin Twitter Facebook Instagram Youtube

HAWKEYE

 * CSOC and XDR
 * Features
 * Capabilities
 * Process

PACKAGES

 * Remote
 * Lite
 * Baseline
 * Advanced
 * Premium
 * ICS / OT

CSOC

 * Integrations
 * CSOC WIKI
 * Adversarial SecOps
 * SIEM Sizing Calculator

EXPLORE

 * Blogs
 * Partner Program
 * Careers
 * Contact
 * Privacy Policy

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights
Reserved.

 * CSOC and XDR
   * Features
   * Capabilities
   * Process
 * Integrations
 * Packages
   * Remote
   * Lite
   * Baseline
   * Advanced
   * Premium
   * ICS / OT
 * CSOC WIKI
 * Adversarial SecOps
 * Pricing
   * SIEM Sizing Calculator
 * Blogs
 * Partners
 * Careers

Contact
This is a staging environment