In recent months, a sophisticated subgroup of the Lazarus threat actor has emerged, targeting financial and cryptocurrency organizations with a trio of remote access trojans (RATs). This campaign underscores the group’s advanced capabilities and their adeptness at leveraging both custom and publicly available tools.
Initial Access via Social Engineering
The attackers initiate their intrusion through meticulously crafted social engineering campaigns on Telegram. By impersonating employees from reputable trading firms, they engage victims in conversations that lead them to counterfeit meeting platforms, such as fake Calendly and Picktime websites. These deceptive sites are suspected of exploiting a Chrome zero-day vulnerability, enabling the silent execution of malicious code on the victim’s system.
Deployment of Multiple RATs
Once inside the network, the attackers deploy a sequence of RATs to establish and maintain control:
1. PondRAT: Serves as the initial loader, facilitating the entry of subsequent payloads.
2. ThemeForestRAT: Operates entirely in memory, enhancing stealth and reducing the likelihood of detection.
3. RemotePE: Deployed after extensive reconnaissance and lateral movement, this advanced RAT ensures long-term access and control over the compromised system.
The deployment of these RATs enables the attackers to perform a range of malicious activities, including file manipulation, shellcode injection, monitoring of Remote Desktop Protocol (RDP) sessions, and secure exfiltration of sensitive data.
Advanced Infection Mechanisms
A critical component of this campaign is the use of PerfhLoader, a lightweight custom loader that resides in the `%SystemRoot%\System32\` directory. PerfhLoader exploits the SessionEnv service through phantom DLL loading to persistently execute PondRAT or its predecessor, POOLRAT. The loader decrypts an encrypted payload file (e.g., `perfh011.dat`) using a rolling XOR cipher before executing it in memory.
The rolling XOR decryption mechanism is designed to evade signature-based detection and forensic analysis. The Python pseudocode below illustrates this cipher, which continually mutates its key with each processed byte:
“`python
def crypt_buf(data: bytes) -> bytes:
xor_key = bytearray(range(0x10))
buf = bytearray(data)
for idx in range(len(buf)):
a = xor_key[(idx + 5) & 0xF]
b = xor_key[(idx – 3) & 0xF]
c = xor_key[(idx – 7) & 0xF]
xor_byte = a ^ b ^ c
buf[idx] ^= xor_byte
xor_key[idx & 0xF] = xor_byte
return bytes(buf)
“`
By employing this ever-evolving XOR key, the loader effectively thwarts signature-based detection and forensic carving of its payload. After decryption, PerfhLoader utilizes an open-source manual DLL loader to inject PondRAT into memory without writing executable files to disk, thereby enhancing stealth and reducing the likelihood of detection.
Operational Security and Impact
The Lazarus subgroup’s refined operational security is evident in their ability to blend custom loaders with techniques such as Windows phantom DLL hijacking and Data Protection API (DPAPI) encryption. This sophisticated approach has caught many defenders off guard, despite widespread awareness of Lazarus activities.
The impact of this campaign extends beyond simple credential theft. The trio of RATs enables the attackers to perform a range of malicious activities, including file manipulation, shellcode injection, monitoring of Remote Desktop Protocol (RDP) sessions, and secure exfiltration of sensitive data. Organizations in the decentralized finance (DeFi) sector have reported significant disruptions, with hidden backdoors allowing continuous data harvesting and opportunistic lateral movements for subsequent supply-chain intrusions.
Recommendations for Mitigation
To defend against such sophisticated threats, organizations should consider implementing the following measures:
1. User Education and Awareness: Train employees to recognize and report social engineering attempts, particularly those involving unsolicited communications on platforms like Telegram.
2. Regular Software Updates: Ensure that all software, especially web browsers like Chrome, are updated promptly to mitigate the risk of zero-day exploits.
3. Network Segmentation: Implement network segmentation to limit lateral movement within the organization, thereby containing potential breaches.
4. Advanced Threat Detection: Deploy advanced threat detection solutions capable of identifying in-memory execution and other stealthy attack techniques.
5. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a security breach.
By adopting these proactive measures, organizations can enhance their resilience against the evolving tactics of sophisticated threat actors like the Lazarus Group.
