North Korea-related threat actors known as the Lazarus Group are attributed to a social engineering campaign that distributes three different cross-platform malware, known as Pondrat, Themeforestrat and Remotepe.
The attack observed by NCC Group’s Fox-IT in 2024 targeted organizations in the distributed finance (DEFI) sector, ultimately leading to compromises in the employee system.
“From there, actors made discoveries from within the network using different rats in combination with other tools to harvest credentials and proxy connections, for example,” said Yun Zheng Hu and Mick Koomen. “The actor then moves to stealth rats, which probably means the next stage of the attack.”
The attack chain uses fake websites in which threat actors impersonate existing employees of trading companies on Telegram and schedule meetings with victims under the guise of Calendly and Picktime.
Currently, the exact initial access vector is unknown, but the scaffolding is utilized to deploy a loader called Perfhloader and drop Pondrat, a known malware that has been evaluated as a stripped variant of Poodrat (also known as Simplesea). The cybersecurity company said there is some evidence that suggests that the then zero-day exploit of the Chrome browser is being used in the attack.
It also comes with Pondrat and offers many other tools, including screenshotter, keyloggers, chrome credentials, Cookie Steeler, Mimikatz, FRPC, proxy programs such as MidProxy and Proxy Mini.
“Pont Rat is a simple rat that allows operators to read and write files, start the process and run shellcode,” Fox-It added, dated at least in 2021.
Pondrat malware is designed to communicate over HTTP using a hard-coded command and control (C2) server, and receives further instructions. TheEforStrat boots directly in memory via either Pondrat or a dedicated loader.
Contact the C2 server via HTTP with the new Remote Desktop (RDP) session monitor and new remote desktop (RDP) session monitor to enumerate files/directories, perform file operations, run commands, run commands, perform TCP connections, perform TCP connections, get the file based on DISK, based on TimeESTOMP files based on different files. The amount of time.
Fox-It said Themeforestrat shares similarities with Romeogolf, the malware codename used by the Lazarus group in a destructive wiper attack on Sony Pictures Entertainment (SPE) in November 2014. It was documented by Novetta as part of a collaboration known as Operation Blockbuster.
Remotepe, on the other hand, is retrieved from the C2 server by Remotepeloader and loaded by DPAPILoader. Remotepe written in C++ is a more advanced rat and may be reserved for high value targets.
“The Pondrat is a primitive rat that offers little flexibility, but to achieve its purpose as the first payload,” Fox said. “For more complicated tasks, actors use TheMeforestrat. TheMeforestrat has more features and is loaded only in memory, so it stays under the radar.”
Source link
