Multi-platform payloads spread in Lazarus social engineering campaign

North Korean hacking collective Lazarus Group has deployed the multi-platform PondRAT, ThemeForestRAT, and RemotePE malware strains as part of a social engineering attack campaign against a decentralized finance organization, The Hacker News reports. After achieving initial access through trading firm employee spoofing on Telegram and bogus Calendly and Picktime website exploitation for scheduling a meeting with the target, Lazarus hackers proceeded to spread the PerfhLoader that injected the PondRAT trojan for file reading and writing and shellcode execution, along with a keylogger, Mimikatz, and other illicit tools, an analysis from NCC Group's Fox-IT researchers showed. PondRAT was then used concurrently with ThemeForestRAT, which allowed file enumeration, TCP connection testing, and command execution. Attackers then moved to remove traces of both PondRAT and ThemeForestRAT before launching the more sophisticated RemotePE trojan, according to Fox-IT researchers. "PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose. For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only," they added.