A sophisticated Lazarus subgroup has deployed an arsenal of three distinct remote access trojans (RATs) in coordinated attacks against cryptocurrency and financial organizations, according to a detailed analysis by researchers from Fox-IT and the NCC Group.

The campaign, which has been active since 2021, demonstrates the North Korean-linked group’s evolving tactics and advanced persistent threat capabilities.

Social Engineering Leads to Multi-Stage Infection

The attack chain begins with elaborate social engineering campaigns where threat actors impersonate employees from legitimate trading companies on Telegram.

Using fake Calendly and Picktime websites, the attackers schedule meetings with targets in the decentralized finance (DeFi) sector to establish trust before deploying malicious payloads.

In a 2024 incident response case, researchers suspect the group exploited a Chrome zero-day vulnerability to achieve initial compromise, evidenced by sudden decreases in endpoint detection logging around the time of infection.

This aligns with Microsoft’s previous reporting on Citrine Sleet’s use of zero-day Chrome exploits to deploy the FudModule rootkit.

The attackers established persistence through phantom DLL loading, exploiting the vulnerable SessionEnv Windows service by placing a custom TSVIPSrv.dll loader called PerfhLoader in the System32 directory.

This technique grants elevated privileges, including SeDebugPrivilege and SeLoadDriverPrivilege, enabling kernel driver loading to bypass security controls.

Triple RAT Arsenal Provides Comprehensive Control

The campaign employs three distinct RATs in sequence, each serving specific operational purposes:

PondRAT functions as the initial access payload, providing basic file operations, process execution, and shellcode injection capabilities.

Despite its simplicity, the malware shares significant code similarities with the previously documented POOLRAT/SimpleTea, including identical XOR encryption keys, bot ID generation algorithms, and unique file deletion patterns involving 27 sequential filename changes.

ThemeForestRAT operates as a memory-only second-stage payload with over 20 commands, including drive enumeration, secure file deletion, process manipulation, and TCP connection testing.

The RAT creates specialized threads to monitor RDP sessions and USB device insertions, demonstrating sophisticated environmental awareness.

Notably, this malware exhibits striking similarities to the RomeoGolf RAT, as documented in Operation Blockbuster, sharing command structures and signaling mechanisms.

RemotePE represents the campaign’s most advanced component, deployed after the actors clean up earlier RAT artifacts.

This sophisticated payload uses Windows Data Protection API (DPAPI) for environmental keying, making analysis complicated without access to the original compromised system.

Advanced Evasion and Persistence Mechanisms

The group demonstrates remarkable operational security awareness through the use of multiple evasion techniques. ThemeForestRAT exclusively runs in memory, explaining its absence from public malware repositories like VirusTotal.

The malware family has remained undetected for at least six years, underscoring its effectiveness in evading security controls.

Configuration files use RC4 encryption with hardcoded keys, while C2 communications employ HTTP(S) protocols with distinctive “ThemeForest_” and “Thumb_” filename prefixes.

The attackers maintain persistence through Windows services and employ timestomping techniques to blend malicious files with legitimate system components.

This campaign represents a significant evolution in Lazarus group capabilities, combining zero-day exploits, memory-only malware, and environmental keying to create a highly sophisticated attack platform targeting the lucrative cryptocurrency sector.

Indicators of Compromise

Type	Indicator	Comment
net.domain	calendly[.]live	Fake calendly.com
net.domain	picktime[.]live	Fake picktime.com
net.domain	oncehub[.]co	Fake oncehub.com

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Suspected 0-Day Exploit Enables Lazarus Hackers to Unleash Triple RAT Campaign on Compromised Systems appeared first on Cyber Security News.