North Korea's Lazarus APT Uses GUI Framework to Build Stealthy RAT

In recent attacks against healthcare organizations and an Internet infrastructure company, North Korea's famous Lazarus Group deployed a new, ultra-compact, highly evasive remote access Trojan (RAT) called "QuiteRAT."

QuiteRAT is an upgraded version of another RAT the group deployed in 2022, "MagicRAT," itself a follow-up from 2021's "TigerRAT." QuiteRAT can pilfer information about its host machine and user, as well as run commands, and at just four to five megabytes, it hardly makes a noticeable imprint in a target network.

Most interesting of all, however, is that QuiteRAT is built on Qt, a framework for designing graphical user interfaces (GUIs), which it wears like a costume to sneak past malware detection tools.

In February — five days after the disclosure of proofs-of-compromise (PoCs) relating to the 9.8 "Critical"-rated CVE-2022-47966, a remote code execution (RCE) vulnerability for Zoho ManageEngine — Lazarus exploited ManageEngine ServiceDesk to infiltrate healthcare organizations in the US and UK, as well as a UK-based "Internet backbone infrastructure provider," according to a new report from Cisco Talos. It was during these attacks that it first put QuiteRAT to the test.

Lazarus' GUI-Based RATs

In April 2022, Lazarus Group compiled the latest known version of "MagicRAT," a Trojan which stood out not because of what it did, but what it was made of.

MagicRAT was statically linked to Qt, an open source, cross-platform software for creating graphical user interfaces. As Talos wrote at the time, "The RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class."

To be clear: there was no graphical component to the malware. So why make that choice? "Firstly, they might be using it because it's an incredibly versatile framework. It gives you a huge amount of options by being platform-agnostic," says Asheer Malhotra, threat researcher for Cisco Talos.

"Secondly, because the Qt framework is used in predominantly benign applications, this might also be a way of evading detections," he explains. On a typical host machine, "there are heuristic detection mechanisms that look for specific frameworks and specific malware files. And based on that, they make a call as to whether this file or executable is malicious or not. The introduction of the Qt framework reduces the possibility of heuristic detection."

What Is QuiteRAT?

"Lazarus will churn out implants at the speed of light," Malhotra marvels. "Almost every year they'll come up with two or three new types of implants, and they will keep using them as long as they see some success. And they see very few disclosures for these implants. When these implants are finally disclosed, they will either start authenticating them, or they will move on to newer implants that they have in the development pipeline."

QuiteRAT, first discovered in February, is the successor to MagicRAT. It lacks any built-in persistence mechanism, which MagicRAT achieved with the ability to set up scheduled tasks (QuiteRAT must be granted such power via a C2 server). However, it makes up for that shortcoming by being significantly more compact — just 4 to 5 megabytes, on average, compared to MagicRAT's 18 megabytes.

"18 megabytes is quite a lot for an application — especially a malware that is trying to be as stealthy as possible. That leaves a huge footprint on a computer," Malhotra explains. It was so large because MagicRAT embedded the entire Qt framework.

In QuiteRAT, only a handful of relevant, required libraries survived. "And that's very helpful, because you want to keep your footprint as small as possible," he says.

Besides slimming down, QuiteRAT resembles its predecessor in just about every other way. Both perform limited reconnaissance on entering a machine before planting a remote shell and granting its proprietors the ability to edit, move, and delete files, or run arbitrary commands. The two also use similar tactics for obfuscating code and entering into sleep states.

Whether Lazarus' sneakiest, tiniest RAT will pop up in more campaigns to come remains to be seen. The larger concern, perhaps, is that its cleverest ideas will provide inspiration for more threat actors down the line.

"Historically, we've seen that what happens in the APT space usually makes its way into the private space. Less sophisticated threat actors will pick up on tools, techniques, and tactics. So there is a possibility that the Qt framework is picked up by other malware authors and other APT groups," Malhotra warns, adding there's been no evidence of that happening just yet.