Full Report
Authors: Yun Zheng Hu and Mick Koomen Introduction In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus, Citrine Sleet, UNC4736, and Gleaming Pisces. This actor uses … Continue reading Three Lazarus RATs coming for your cheese →
Analysis Summary
# Threat Actor: Lazarus Subgroup (Financial/Crypto Focus)
## Attribution & Identity
* **Primary Attribution:** Lazarus subgroup.
* **Associated Groups/Activity:** Overlaps with activity linked to **AppleJeus**, **Citrine Sleet**, **UNC4736**, and **Gleaming Pisces**.
## Activity Summary
This Lazarus subgroup specifically targets organizations within the financial and cryptocurrency sectors. An incident response case from 2024 detailed a four-phase attack chain utilizing multiple Remote Access Trojans (RATs). The actor demonstrated determination and advanced capabilities, including the potential use of a zero-day to achieve initial execution.
The attack typically proceeds from initial compromise via social engineering (3 months duration in one case), followed by deployment of less stealthy RATs (PondRAT, ThemeForestRAT), and finally escalating to a more advanced RAT (RemotePE) after initial malware artifacts are cleaned up.
## Tactics, Techniques & Procedures
* **Initial Access:** Social engineering, heavily involving impersonation on Telegram and the use of fake meeting websites (e.g., fake Calendly and Picktime sites). Suspected use of a **Chrome zero-day vulnerability** for code execution in one observed case.
* **Execution/Persistence:** Deployment of various RATs sequentially (PondRAT, ThemeForestRAT, then RemotePE). ThemeForestRAT appeared to run **only in memory**.
* **Defense Evasion:** Artifacts of prior malware (PerfhLoader, PondRAT, ThemeForestRAT) were cleaned up before deploying the advanced RemotePE, suggesting deliberate staging/escalation.
* **Discovery & Lateral Movement:** Actor performed internal network discovery and credential harvesting using various tools and proxied connections.
* **MITRE ATT&CK IDs:** Not explicitly listed for the observed TTPs, though reference to T1001.003 (Obfuscated Files or Information: Domain Generation Algorithms) is present in citations, which might relate to broader Lazarus activity, though not directly tied to the analyzed RATs/campaign here.
## Targeting
* **Sectors:** Financial sector, **Cryptocurrency sector**, Decentralized Finance (DeFi).
* **Geography:** Not explicitly specified, but operations were conducted against an organization in DeFi.
* **Victims:** An organization in **decentralized finance (DeFi)** was specifically mentioned in the 2024 incident response case.
## Tools & Infrastructure
* **Malware Families Used:**
* **PondRAT:** Used early in the compromise phase. Documented similarities with POOLRAT (SimpleTea).
* **ThemeForestRAT:** Used in conjunction with PondRAT; reportedly ran only in memory. Has been in use for at least six years.
* **RemotePE:** A more advanced RAT used as a final stage after older malware was removed. New, not linked to a public family at the time of writing.
* **PerfhLoader:** Observed artifacts being cleaned up before the final stage.
* **Infrastructure:** Social engineering utilized **fake Calendly and Picktime websites** for interaction.
## Implications
This actor exhibits high determination and advanced capabilities, evidenced by their focus on lucrative crypto/financial targets, multi-stage malware deployment (including in-memory execution), and the potential deployment of a zero-day exploit. The evolution from PondRAT/ThemeForestRAT to the more advanced RemotePE signals a calculated, escalating approach once initial access is secured.
## Mitigations
* Heightened vigilance regarding unsolicited communications, especially via Telegram, that mimic known colleagues or investment institutions.
* Use of secure channels for setting up sensitive meetings, avoiding reliance on third-party scheduling services presented via suspicious links.
* Monitoring for sequential malware deployment, including removal of initial foothold malware followed by the installation of more advanced, unknown RATs (like RemotePE).
* Investigate signs of potential zero-day exploitation in web browsers (e.g., Chrome).