MagicRAT: Lazarus’ latest gateway into victim networks

2022-09-07 • Cisco Talos •

http://blog.talosintelligence.com/2022/09/lazarus-magicrat.html

#MagicRAT #T1053 #T1547

Thumbnail for MagicRAT: Lazarus’ latest gateway into victim networks

This attribution is based on tactics, techniques and procedures (TTPs), malware implants and infrastructure overlap with known Lazarus campaigns. Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. We have observed overlaps in C2 servers serving MagicRAT and previously disclosed Lazarus campaigns utilizing the Dtrack RAT family. TigerRAT is a malware family attributed to the Lazarus APT groups by the Korean Internet & Security Agency (KISA).

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	f32f6b229913d68daad937cc72a57aa…	2021-12-22	2024-12-13
HASH	bffe910904efd1f69544daa9b72f2a7…	2022-09-07	2023-02-09
HASH	f78cabf7a0e7ed3ef2d1c976c148628…	2022-09-07	2023-02-09
HASH	1c926fb3bd99f4a586ed476e4683163…	2022-09-07	2023-02-09
HASH	23eff00dde0ee27dabad28c1f4ffb8b…	2022-09-07	2023-02-09
HASH	ca932ccaa30955f2fffb1122234fb15…	2022-09-07	2023-02-09
HASH	196fb1b6eff4e7a049cea323459cfd6…	2022-09-07	2023-02-09
HASH	f6827dc5af661fbb4bf64bc625c7828…	2022-09-07	2023-02-09
HASH	1f8dcfaebbcd7e71c2872e0ba2fc6db…	2021-12-22	2023-02-09
HASH	d20959b615af699d8fff3f0087faade…	2022-09-07	2022-09-07
DOMAIN	visual.1991-06.com	2022-09-07	2022-09-07
DOMAIN	gendoraduragonkgp126.com	2022-09-07	2022-09-07
IPv4	66.154.102.91	2022-09-07	2022-09-07
IPv4	193.56.28.251	2022-09-07	2022-09-07
IPv4	64.188.27.73	2022-09-07	2022-09-07
IPv4	151.106.2.139	2022-09-07	2022-09-07
IPv4	52.202.193.124	2021-12-22	2022-09-07

Related Reports

2022-09-08 • 70% Match

Lazarus and the tale of three RATs

Cisco Talos

#VSingle #MagicRAT #YamaBot #T1082 #T1090 #T1140 #T1560 #T1083 #T1053 #T1003 #T1219 #T1543 #T1190 #T1590 #T1087 #T1547 #T1562 #T1608 #T1070 #T1033 #T1518 #T1021 #T1136

Shares tags: MagicRAT, T1053, T1547 • Same author: Cisco Talos • Published within a week

2022-04-15 • 31% Match

ICS/OT CYBERSECURITY YEAR IN REVIEW 2021

Dragos

#Trend #WASSONITE #T1082 #T1140 #T1041 #T1113 #T1555 #T1560 #T1083 #T1036 #T1071 #T1053 #T1566 #T1059 #T1480 #T1055 #T1078 #T1127 #T1189 #T1049 #T1574 #T1589 #T1016 #T1591 #T1547 #T1614 #T1217 #T1573 #T1074 #T1056 #T1033 #T1132 #T1021 #T1564 #T1584 #T1505 #T0807 #T0840 #T0884 #T0888 #T1602 #T0822 #T0858 #T0859 #T0806 #T0817 #T0819

Shares tags: T1053, T1547

2026-06-17 • 26% Match

140+ Mastra npm Packages Compromised in Coordinated Supply Chain Attack

Socket

#SupplyChain #NPM #T1005 #T1053 #T1059 #T1195 #T1105 #T1547 #Mastra

Shares tags: T1053, T1547

2026-05-28 • 26% Match

Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace

Safe Dep

#NPM #FamousChollima #T1102.002 #T1119 #T1059.003 #T1567.002 #T1005 #T1113 #T1195.002 #T1056.001 #T1567 #T1543.001 #T1552 #T1547.001 #T1053.005 #T1059.001 #T1053 #T1102 #T1059 #T1195 #T1543 #T1552.004 #T1543.004 #T1547 #T1056 #HuggingFace

Shares tags: T1053, T1547

2024-11-06 • 26% Match

揭秘APT37：朝鲜黑客组织的攻击手法及工具

David_Jou

#APT37 #CVE-2024-38178 #VeilShell #T1082 #T1140 #T1041 #T1555 #T1560 #T1112 #T1027 #T1071 #T1204 #T1057 #T1053 #T1566 #T1059 #T1003 #T1055 #T1574 #T1547 #T1070 #T1033 #T1132 #T1030 #T1069

Shares tags: T1053, T1547

2024-08-26 • 26% Match

Moonstone Sleet

MITRE

#MoonstoneSleet #G1036 #T1082 #T1140 #T1027 #T1071 #T1204 #T1053 #T1566 #T1195 #T1003 #T1105 #T1486 #T1589 #T1016 #T1587 #T1591 #T1585 #T1598 #T1583 #T1547 #T1217 #T1608 #T1569 #T1033

Shares tags: T1053, T1547

« Back