Three Lazarus RATs coming for your cheese
Contents
Authors: Yun Zheng Hu and Mick Koomen
Introduction
In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus1, Citrine Sleet2, UNC47363, and Gleaming Pisces4. This actor uses different remote access trojans (RATs) in their operations, known as PondRAT5, ThemeForestRAT and RemotePE. In this article, we analyse and discuss these three.
First, we describe an incident response case from 2024, where we observed the three RATs. This gives insights into the tactics, techniques, and procedures (TTPs) of this actor. Then, we discuss PondRAT, ThemeForestRAT and RemotePE, respectively.
PondRAT received quite some attention last year, we give a brief overview of the malware and document other similarities between PondRAT and POOLRAT (also known as SimpleTea) that have not yet been publicly documented. Secondly, we discuss ThemeForestRAT, a RAT …
Introduction
In the past few years, Fox-IT and NCC Group have conducted multiple incident response cases involving a Lazarus subgroup that specifically targets organizations in the financial and cryptocurrency sector. This Lazarus subgroup overlaps with activity linked to AppleJeus1, Citrine Sleet2, UNC47363, and Gleaming Pisces4. This actor uses different remote access trojans (RATs) in their operations, known as PondRAT5, ThemeForestRAT and RemotePE. In this article, we analyse and discuss these three.
First, we describe an incident response case from 2024, where we observed the three RATs. This gives insights into the tactics, techniques, and procedures (TTPs) of this actor. Then, we discuss PondRAT, ThemeForestRAT and RemotePE, respectively.
PondRAT received quite some attention last year, we give a brief overview of the malware and document other similarities between PondRAT and POOLRAT (also known as SimpleTea) that have not yet been publicly documented. Secondly, we discuss ThemeForestRAT, a RAT …
IoC
https://github.com/ParrotSec/mimikatz
https://securelist.com/operation-applejeus/87553/
http://picktime.live
http://azureglobalaccelerator.com
http://keondigital.com
https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b
http://pypilibrary.com
https://github.com/quasar/Quasar/releases/tag/v1.3.0.0
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a
https://github.com/fatedier/frp
https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
http://dpkgrepo.com
http://lmaxtrd.com
http://azuredeploypackages.net
http://aes-secure.net
http://jdkgradle.com
https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
https://vipyrsec.com/research/elf64-rat-malware/
http://192.52.166.253
https://www.codeproject.com/Articles/7828/CHttpClient-A-Helper-Class-Using-WinInet
http://go.oncehub.co
https://c.m.163.com/news/a/HQVV9MTS0538B1YX.html
https://www.nccgroup.com/us/how-the-lazarus-group-targets-fintech/
https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise
https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
http://www.natefi.org
https://github.com/adamhlt/Manual-DLL-Loader
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
http://oncehub.co
https://attack.mitre.org/techniques/T1001/003/
http://paxosfuture.com
https://aluigi.altervista.org/mytoolz.htm
http://calendly.live
http://www.plexisco.com
https://github.com/nettitude/SimplePELoader/
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-RAT-and-Staging-Report.pdf
http://pypistorage.com
https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f
http://ftxstock.com
http://arcashop.org
http://nansenpro.org
https://github.com/fatedier/frp/releases/tag/v0.32.1
http://latamics.org
http://144.172.74.120
144.172.74.120
192.52.166.253
1.3.0.0
[email protected]
4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3
c66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784a
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
f0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
d998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936
59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224d
9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14
1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1
8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbd
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
7cc55f3cc2740e8818648efbec21615f
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
774C71664D5D25775478607E74555462773E525E18237947355228337F433A3B
2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5
6f2f61783a4a59449db4ba37211fa331
cc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402b
e4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3f
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
f4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374b
435c7b4fd5e1eaafcb5826a7e7c16a83
3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698cca
85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516
rule Lazarus_ThemeForestRAT_RC4_key {
meta:
description = "ThemeForest RC4 key used for config file."
author = "Fox-IT / NCC Group"
strings:
$rc4_key = { 20 1A 19 2D 83 8F 48 53 E3 00 }
$rc4_key_mov = { 20 1A 19 2D [2-8] 83 8F 48 53 [2-10] E3 00 }
condition:
any of them
}
rule Lazarus_PerfhLoader_XOR_key {
meta:
description = "XOR key used for shellcode obfuscation."
author = "Fox-IT / NCC Group"
strings:
$mov_1 = { C7 [1-3] 00 01 02 03 }
$mov_2 = { C7 [1-3] 04 05 06 07 }
$mov_3 = { C7 [1-3] 08 09 0A 0B }
$mov_4 = { C7 [1-3] 0C 0D 0E 0F }
$init_1 = { 41 8D ?? FD 41 8D ?? F9 }
condition:
all of them
}
import "pe"
rule Lazarus_DPAPILoader_Hunting {
meta:
description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
author = "Fox-IT / NCC Group"
strings:
$msg_1 = "[!] Could not allocate memory at the desired base!\n"
$msg_2 = "[!] Virtual section size is out ouf bounds: "
$msg_3 = "[!] Invalid relocDir pointer\n"
$msg_4 = "[-] Not supported relocations format at %d: %d\n"
$msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
condition:
any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
rule Lazarus_RemotePE_class_strings {
meta:
description = "RemotePE class strings."
author = "Fox-IT / NCC Group"
strings:
$a = "IMiddleController" ascii wide xor
$b = "IChannelController" ascii wide xor
$c = "IConfigProfile" ascii wide xor
$d = "IKernelModule" ascii wide xor
condition:
all of them
}
rule Lazarus_RemotePE_C2_strings {
meta:
description = "RemotePE strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
$b = "armAuthorization" wide ascii xor
$c = "ai_session" wide ascii xor
condition:
uint16(0) == 0x5A4D and all of them
}
rule Lazarus_ThemeForestRAT_C2_strings {
meta:
description = "ThemeForestRAT strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$themeforest = "ThemeForest_%s" ascii wide
$thumb = "Thumb_%s" ascii wide
$param_code = "code" ascii wide
$param_fn = "fn" ascii wide
$param_ldf = "ldf" ascii wide
condition:
all of them
}
https://securelist.com/operation-applejeus/87553/
http://picktime.live
http://azureglobalaccelerator.com
http://keondigital.com
https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
https://slowmist.medium.com/analysis-of-north-korean-hackers-targeted-phishing-scams-on-telegram-872db3f7392b
http://pypilibrary.com
https://github.com/quasar/Quasar/releases/tag/v1.3.0.0
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a
https://github.com/fatedier/frp
https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
http://dpkgrepo.com
http://lmaxtrd.com
http://azuredeploypackages.net
http://aes-secure.net
http://jdkgradle.com
https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
https://vipyrsec.com/research/elf64-rat-malware/
http://192.52.166.253
https://www.codeproject.com/Articles/7828/CHttpClient-A-Helper-Class-Using-WinInet
http://go.oncehub.co
https://c.m.163.com/news/a/HQVV9MTS0538B1YX.html
https://www.nccgroup.com/us/how-the-lazarus-group-targets-fintech/
https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise
https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
http://www.natefi.org
https://github.com/adamhlt/Manual-DLL-Loader
https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/
http://oncehub.co
https://attack.mitre.org/techniques/T1001/003/
http://paxosfuture.com
https://aluigi.altervista.org/mytoolz.htm
http://calendly.live
http://www.plexisco.com
https://github.com/nettitude/SimplePELoader/
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.02.24.Operation_Blockbuster/Operation-Blockbuster-RAT-and-Staging-Report.pdf
http://pypistorage.com
https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f
http://ftxstock.com
http://arcashop.org
http://nansenpro.org
https://github.com/fatedier/frp/releases/tag/v0.32.1
http://latamics.org
http://144.172.74.120
144.172.74.120
192.52.166.253
1.3.0.0
[email protected]
4715e5522fc91a423a5fcad397b571c5654dc0c4202459fdca06841eba1ae9b3
c66ba5c68ba12eaf045ed415dfa72ec5d7174970e91b45fda9ebb32e0a37784a
ff32bc1c756d560d8a9815db458f438d63b1dcb7e9930ef5b8639a55fa7762c9
f0321c93c93fa162855f8ea4356628eef7f528449204f42fbfa002955a0ba528
7a05188ab0129b0b4f38e2e7599c5c52149ce0131140db33feb251d926428d68
37f5afb9ed3761e73feb95daceb7a1fdbb13c8b5fc1a2ba22e0ef7994c7920ef
d998de6e40637188ccbb8ab4a27a1e76f392cb23df5a6a242ab9df8ee4ab3936
59a651dfce580d28d17b2f716878a8eff8d20152b364cf873111451a55b7224d
9dddf5a1d32e3ba7cc27f1006a843bfd4bc34fa8a149bcc522f27bda8e95db14
1a051e4a3b62cd2d4f175fb443f5172da0b40af27c5d1ffae21fde13536dd3e1
8c3c8f24dc0c1d165f14e5a622a1817af4336904a3aabeedee3095098192d91f
4f6ae0110cf652264293df571d66955f7109e3424a070423b5e50edc3eb43874
5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8
24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a
6510d460395ca3643133817b40d9df4fa0d9dbe8e60b514fdc2d4e26b567dfbd
aa4a2d1215f864481994234f13ab485b95150161b4566c180419d93dda7ac039
7cc55f3cc2740e8818648efbec21615f
159471e1abc9adf6733af9d24781fbf27a776b81d182901c2e04e28f3fe2e6f3
774C71664D5D25775478607E74555462773E525E18237947355228337F433A3B
2c164237de4d5904a66c71843529e37cea5418cdcbc993278329806d97a336a5
6f2f61783a4a59449db4ba37211fa331
cc4c18fefb61ec5b3c69c31beaa07a4918e0b0184cb43447f672f62134eb402b
e4ce73b4dbbd360a17f482abcae2d479bc95ea546d67ec257785fa51872b2e3f
973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c
f4d8e1a687e7f7336162d3caed9b25d9d3e6cfe75c89495f75a92ca87025374b
435c7b4fd5e1eaafcb5826a7e7c16a83
3c8f5cc608e3a4a755fe1a2b099154153fb7a88e581f3b122777da399e698cca
85045d9898d28c9cdc4ed0ca5d76eceb457d741c5ca84bb753dde1bea980b516
rule Lazarus_ThemeForestRAT_RC4_key {
meta:
description = "ThemeForest RC4 key used for config file."
author = "Fox-IT / NCC Group"
strings:
$rc4_key = { 20 1A 19 2D 83 8F 48 53 E3 00 }
$rc4_key_mov = { 20 1A 19 2D [2-8] 83 8F 48 53 [2-10] E3 00 }
condition:
any of them
}
rule Lazarus_PerfhLoader_XOR_key {
meta:
description = "XOR key used for shellcode obfuscation."
author = "Fox-IT / NCC Group"
strings:
$mov_1 = { C7 [1-3] 00 01 02 03 }
$mov_2 = { C7 [1-3] 04 05 06 07 }
$mov_3 = { C7 [1-3] 08 09 0A 0B }
$mov_4 = { C7 [1-3] 0C 0D 0E 0F }
$init_1 = { 41 8D ?? FD 41 8D ?? F9 }
condition:
all of them
}
import "pe"
rule Lazarus_DPAPILoader_Hunting {
meta:
description = "Hunting rule to detect DPAPILoader, a loader used to load RemotePE."
author = "Fox-IT / NCC Group"
strings:
$msg_1 = "[!] Could not allocate memory at the desired base!\n"
$msg_2 = "[!] Virtual section size is out ouf bounds: "
$msg_3 = "[!] Invalid relocDir pointer\n"
$msg_4 = "[-] Not supported relocations format at %d: %d\n"
$msg_5 = "[!] Cannot fill imports into 32 bit PE via 64 bit loader!\n"
condition:
any of them and pe.imports("Crypt32.dll", "CryptUnprotectData")
}
rule Lazarus_RemotePE_class_strings {
meta:
description = "RemotePE class strings."
author = "Fox-IT / NCC Group"
strings:
$a = "IMiddleController" ascii wide xor
$b = "IChannelController" ascii wide xor
$c = "IConfigProfile" ascii wide xor
$d = "IKernelModule" ascii wide xor
condition:
all of them
}
rule Lazarus_RemotePE_C2_strings {
meta:
description = "RemotePE strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$a = "MicrosoftApplicationsTelemetryDeviceId" wide ascii xor
$b = "armAuthorization" wide ascii xor
$c = "ai_session" wide ascii xor
condition:
uint16(0) == 0x5A4D and all of them
}
rule Lazarus_ThemeForestRAT_C2_strings {
meta:
description = "ThemeForestRAT strings used for C2."
author = "Fox-IT / NCC Group"
strings:
$themeforest = "ThemeForest_%s" ascii wide
$thumb = "Thumb_%s" ascii wide
$param_code = "code" ascii wide
$param_fn = "fn" ascii wide
$param_ldf = "ldf" ascii wide
condition:
all of them
}