Lazarus Hackers Deploying Three RATs on Compromised Systems Possibly Using 0-Day Vulnerability

Cybersecurity: Advanced Threat Activity by Lazarus Group

Recent analysis has identified a subgroup of the Lazarus threat actor deploying three distinct remote access trojans (RATs) targeting financial and cryptocurrency organizations.

Initial Access and Exploitation

Entry is primarily achieved through social engineering on platforms like Telegram, where attackers impersonate employees of legitimate trading firms. Victims are directed to counterfeit scheduling websites, such as fake Calendly portals, where a Chrome zero-day exploit is suspected to enable silent code execution on targeted systems.

Deployment and Operations

Once network access is secured, attackers deploy PondRAT as an initial loader. This is followed by ThemeForestRAT, which operates in-memory for stealth. After extended reconnaissance and lateral movement, RemotePE RAT is installed for long-term network persistence.

These RATs facilitate various malicious activities, including file manipulation, shellcode injection, RDP session monitoring, and secure data exfiltration. Organizations in decentralized finance (DeFi) have reported substantial disruptions due to these intrusions, which allow continuous data harvesting and supply-chain attacks.

Technical Methodology

The attackers employ advanced methods such as Windows phantom DLL hijacking and DPAPI encryption to maintain operational security. PerfhLoader is used to exploit the SessionEnv service via phantom DLL loading, enabling persistent execution of PondRAT or its predecessor POOLRAT.

This loader decrypts an encrypted payload file (e.g., perfh011.dat) using a rolling XOR cipher for in-memory execution. Such tactics are designed to evade detection by signature-based systems and forensic analysis.

Infection Mechanism: Rolling XOR Decryption and In-Memory Execution

PerfhLoader is a custom tool residing in %SystemRoot%\System32\, using a rolling XOR algorithm to decrypt and load DLL files directly into process memory. This approach avoids writing executable files to disk, enhancing stealth during reconnaissance and data exfiltration operations.

The Python pseudocode demonstrates the XOR cipher used:

def crypt_buf(data: bytes) -> bytes:
    xor_key = bytearray(range(0x10))
    buf = bytearray(data)
    for idx in range(len(buf)):
        a = xor_key[(idx + 5) & 0xF]
        b = xor_key[(idx - 3) & 0xF]
        c = xor_key[(idx - 7) & 0xF]
        xor_byte = a ^ b ^ c
        buf[idx] ^= xor_byte
        xor_key[idx & 0xF] = xor_byte
    return bytes(buf)

This cipher continually mutates its key, complicating detection by signature-based methods. After decryption, PerfhLoader uses an open-source manual DLL loader to inject PondRAT into memory, supporting covert operations.

Security professionals should remain vigilant against these sophisticated threats, noting the potential use of a Chrome zero-day exploit for initial access.

Conclusion

The activities of this Lazarus subgroup underscore their advanced capabilities and the necessity for enhanced cybersecurity measures. Organizations are advised to monitor for these RATs and implement robust security protocols to mitigate the risk of compromise.