North Korean Lazarus Group’s Social Engineering Tactics Unveiled
The Rise of the Lazarus Group
The Lazarus Group, a notorious cyber threat actor linked to North Korea, has recently been highlighted for its sophisticated social engineering campaign. This initiative has involved deploying three distinct pieces of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. These tools have been used to infiltrate organizations within the decentralized finance (DeFi) sector, posing significant risks to data security.
Targeting the DeFi Sector
In a cybersecurity assessment by NCC Group’s Fox-IT, the Lazarus Group effectively compromised an employee’s system within a targeted DeFi organization. The attack chain initiated with a clever impersonation of an employee via Telegram, leveraging deceptive websites designed to resemble known services like Calendly and Picktime for scheduling meetings with prospective victims. This method of impersonation underscores the importance of awareness in digital communication, especially within sensitive industries.
The Attack’s Mechanics
While the precise method of initial access remains unidentified, the attacker utilized this foothold to deploy a loader named PerfhLoader. This loader facilitated the introduction of PondRAT, which is noted to be a streamlined form of the POOLRAT malware. Preliminary evidence gathered by Fox-IT suggests that the attack may have exploited a zero-day vulnerability in the Chrome browser, further complicating defenses against such threats.
Deployment of Malware Tools
Along with PondRAT, several additional malware tools were delivered. These included a variety of utilities designed for harmful purposes, such as a screenshotter, keylogger, and credential stealers like Mimikatz. Additionally, several proxy tools, including MidProxy and Proxy Mini, were used to enhance the attacker’s operational stealth.
Functionality of PondRAT
PondRAT acts as a basic remote access tool (RAT), enabling operators to read and write files, initiate processes, and execute shell commands. According to Fox-IT, this malware variant has been in circulation since at least 2021. During the initial phase of the attack, PondRAT was used in conjunction with ThemeForestRAT for approximately three months, before transitioning to the more sophisticated RemotePE.
Communication and Commands
PondRAT is engineered to communicate via HTTP(S) with a hard-coded command-and-control (C2) server, from which it receives further instructions. Meanwhile, ThemeForestRAT is launched directly into the system’s memory, executed either by PondRAT or through a specific loader. This careful orchestration allows for stealthy operation and evasion from detection mechanisms.
Capabilities of ThemeForestRAT
Similar to its predecessor, ThemeForestRAT monitors for new Remote Desktop Protocol (RDP) sessions and interacts with its C2 server to retrieve a vast array of commands. These can include operations such as enumerating files and directories, executing commands, and even manipulating file attributes by time-stamping them based on other files present on the system.
Historical Context and Comparisons
Notably, Fox-IT has drawn parallels between ThemeForestRAT and another malware known as RomeoGolf, which was utilized by the Lazarus Group in the notorious 2014 cyberattack on Sony Pictures Entertainment. This comparison highlights an ongoing trend of technologically sophisticated and invasive tactics employed by this cyber group.
The Advanced RemotePE
RemotePE is another significant component, retrieved from the C2 server through a loader named RemotePELoader, with the loading process facilitated via DPAPILoader. Written in C++, RemotePE is noted for its advanced functionalities, frequently reserved for targets deemed high-value.
Conclusion on Attack Strategies
Fox-IT emphasizes that while PondRAT may appear primitive and offer limited functionality, it serves its purpose as an initial payload effectively. For more complex operations, the Lazarus Group relies on the more capable ThemeForestRAT, which allows them to operate under the radar, enhancing their chances of success against targeted organizations. Understanding these tactics is crucial for cybersecurity professionals as they develop defenses against increasingly sophisticated threat actors.
