Cisco Talos has discovered a new remote access trojan (RAT), which we are calling “MagicRAT,” that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.
Cisco Talos researchers have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, they’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.
Source: Cisco Talos