Full Report
Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. This actor uses … Continue reading Three Lazarus RATs coming for your cheese →
Analysis Summary
# Threat Actor: Lazarus Subgroup (AppleJeus / Citrine Sleet)
## Attribution & Identity
This threat actor is a specific subgroup of the North Korean **Lazarus Group**. It is tracked by various security Victorian under different aliases and overlaps significantly with known clusters:
* **Aliases:** AppleJeus, Citrine Sleet (Microsoft), UNC4736 (Mandiant), and Gleaming Pisces (Unit 42).
* **Associations:** Linked definitively to the DPRK (North Korean) state-sponsored apparatus, specifically targeting the financial and cryptocurrency sectors for revenue generation.
## Activity Summary
In 2024, Fox-IT and NCC Group investigated incident response cases involving this group targeting **Decentralized Finance (DeFi)** organizations. The actor demonstrated high persistence, maintaining access for several months using a tiered malware approach. A typical 2024 campaign involved social engineering via Telegram, followed by the deployment of **PondRAT** and **ThemeForestRAT**, eventually pivoting to a more sophisticated back-door named **RemotePE** to maintain long-term stealth.
## Tactics, Techniques & Procedures
* **Phishing/Social Engineering:** Impersonating employees of investment or trading firms on Telegram to build trust.
* **Fake Meeting Sites:** Use of fraudulent Calendly and Picktime clones to lure victims into interacting with malicious content.
* **Advanced Exploitation:** Suspected use of a **Chrome zero-day vulnerability** for initial code execution.
* **Persistence & Cleaning:** The actor was observed manually cleaning up initial RAT artifacts (PondRAT) before installing advanced persistence (RemotePE) to avoid detection.
* **Memory-Only Execution:** Running specific payloads like ThemeForestRAT in-memory to minimize the forensic footprint on disk.
* **Traffic Mimicry:** (T1001.003) Use of protocol impersonation to hide C2 traffic.
## Targeting
* **Sectors:** Financial Services, Cryptocurrency, Decentralized Finance (DeFi), Investment Institutions.
* **Geography:** Global (though campaigns are often targeted based on industry rather than specific regional borders).
* **Victims:** Employees of cryptocurrency trading platforms and DeFi organizations.
## Tools & Infrastructure
* **Malware Families:**
* **PondRAT:** A cross-platform RAT (lightweight version of POOLRAT/SimpleTea).
* **ThemeForestRAT:** A long-standing RAT used for at least six years but only recently detailed publicly.
* **RemotePE:** A more advanced, sophisticated RAT used for the "next stage" of attacks.
* **PerfhLoader:** A loader used to facilitate the execution of the RATs.
* **Infrastructure:**
* Fake meeting domains (e.g., fraudulent Picktime/Calendly variants).
* Telegram for Initial Contact.
* Compromised third-party infrastructure for C2.
* *Note: Specific IPs/Domains in the article are referenced as mimicking legitimate booking services.*
## Implications
This actor represents a persistent and evolving threat to the global financial system. The transition from known, lightweight RATs (PondRAT) to bespoke, advanced tools (RemotePE), combined with the suspected usage of zero-day vulnerabilities, indicates a high level of operational maturity and resource backing. Their focus on DeFi suggests a strategic objective to circumvent international sanctions through the theft of cryptocurrency.
## Mitigations
* **Social Engineering Awareness:** Educate employees in financial sectors regarding "recruitment" or "investment" outreach via Telegram and unofficial messaging apps.
* **Browser Security:** Ensure rapid patching cycles for Google Chrome and Chromium-based browsers to mitigate private exploits/zero-days.
* **Network Monitoring:** Monitor for unusual outbound traffic to unknown scheduling/meeting platforms and look for heartbeats associated with WinInet-based C2 communication.
* **Memory Analysis:** Implement EDR solutions capable of detecting in-memory execution and DLL side-loading, as the actor frequently utilizes these to bypass traditional disk-based AV.