Lazarus Subgroup Unleashes Triple RAT Arsenal

Fox-IT and NCC Group investigated multiple incidents in which a Lazarus Group subgroup targeted cryptocurrency and financial organizations. The actors deployed three RATs — PondRAT, ThemeForestRAT, and RemotePE, progressively during intrusions. The attacks leveraged social engineering via Telegram, potentially exploited a Chrome zero-day, and used stealthy persistence mechanisms. RemotePE marked the advanced final stage, indicating higher-value targeting.

Severity Level: High

Threat Details

Social Engineering:

• Impersonation of trading company employees on Telegram.
• Use of fake Calendly, Picktime, Oncehub scheduling domains to lure victims.

Exploitation:

• Evidence suggests a Chrome zero-day was used in at least one 2024 case.
• Endpoint logs indicated tampering consistent with rootkit deployment (FudModule).

Persistence & Privilege Escalation:

• PerfhLoader: A phantom DLL loader leveraging vulnerable Windows services (SessionEnv, IKEEXT).
  • Loads malicious DLLs (e.g., PondRAT/POOLRAT) into memory.
  • Modifies registry to gain SeDebugPrivilege and SeLoadDriverPrivilege.
• Past exploitation of CVE-2017-16237 (VIAGLT64.SYS kernel driver) for SYSTEM-level access.

RAT Deployment Stages

1. PondRAT (Initial Loader)

• Cross-platform (Windows, macOS, Linux).
• Functions: file read/write, process execution, shell commands, shellcode injection.
• Likely successor of POOLRAT/SimpleTea, sharing coding similarities.
• Used both as loader and active RAT in early-stage operations.

2. ThemeForestRAT (Second-Stage)

• Memory-resident RAT (stealthier, rarely seen on disk).
• Written in C++ with 20+ commands: file operations, process control, config updates, shellcode injection.
• Actively monitors RDP sessions and console activity for lateral movement.
• Shares heritage with RomeoGolf malware (seen in 2016 Operation Blockbuster).

3. RemotePE (Final-Stage RAT)

• Deployed after cleanup of earlier RATs.
• Delivered via DPAPILoader, encrypted with Windows DPAPI for environmental keying.
• More advanced, elegant, and likely reserved for high-value targets.
• Uses file renaming obfuscation, similar to PondRAT/POOLRAT, but refined.

Tooling & Tactics

• Custom tools: keylogger, screenshotter, Chromium cookie/credential dumper, MidProxy.
• Public tools: Mimikatz, ProxyMini, Fast Reverse Proxy (same version seen in 3CX supply chain attack).
• Observed use of Themida-packed Quasar RAT – unusual for Lazarus.

Recommendations

1. Ensure Chrome and Chromium-based browsers are up to date, as Lazarus has exploited Chrome zero-days in past intrusions.
2. Patch vulnerable kernel drivers (e.g., CVE-2017-16237 previously abused by Lazarus for SYSTEM access).
3. Regularly validate driver signing policies to prevent loading of outdated or untrusted drivers.
4. Train staff, especially in financial and cryptocurrency sectors, to recognize Telegram impersonation attempts and fake scheduling platforms (Calendly, Picktime, Oncehub).
5. Restrict employee use of unmonitored messaging apps (Telegram, Discord) for business purposes.
6. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/68d6aadc3ccd498ad691b476cdcc2e0b3c89de5b8d8b29077a294be8af131b88/iocs

Source:

• https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheese/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.