| |

Lazarus Group boosts malware tools with PondRAT, ThemeForestRAT, & RemotePE

Byinfosectoday.com

The North Korea-linked threat actor known as the Lazarus Group has been linked to a social engineering campaign that distributes three distinct pieces of cross-platform malware: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, targeted an organisation in the Decentralised Finance (DeFi) sector, ultimately leading to the compromise of an employee’s system. The attack chain commenced with the threat actor impersonating an existing employee of a trading company on Telegram, utilising fake websites that masqueraded as Calendly and Picktime to schedule a meeting with the victim. Although the exact initial access vector remains unknown, the foothold was leveraged to deploy a loader called PerfhLoader, which subsequently dropped PondRAT, a known malware assessed to be a stripped-down variant of POOLRAT (also known as SIMPLESEA).

Alongside PondRAT, several other tools were delivered, including a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, and proxy programs like MidProxy and Proxy Mini. PondRAT is described as a straightforward Remote Access Trojan (RAT) that allows an operator to read and write files, start processes, and run shellcode. The actor employed PondRAT in conjunction with ThemeForestRAT for approximately three months before transitioning to the more sophisticated RAT known as RemotePE. PondRAT is designed to communicate over HTTP(S) with a hard-coded Command-and-Control (C2) server to receive further instructions.

ThemeForestRAT, similar to PondRAT, monitors for new Remote Desktop (RDP) sessions and contacts a C2 server over HTTP(S) to retrieve up to twenty commands for various operations. Fox-IT noted that ThemeForestRAT shares similarities with malware codenamed RomeoGolf, which was used by the Lazarus Group in the November 2014 destructive wiper attack against Sony Pictures Entertainment. RemotePE, on the other hand, is retrieved from a C2 server by RemotePELoader, which is loaded by DPAPILoader, and is written in C++, indicating it is a more advanced RAT likely reserved for high-value targets. 

Similar Posts