As reported by The Hacker News, a sophisticated cross-platform malware known as RemotePE has been identified as the latest tool in the arsenal of the North Korea-linked Lazarus Group, specifically targeting financial and cryptocurrency organizations. This discovery, made by Fox-IT, part of NCC Group, highlights the group's continued efforts to infiltrate and exploit entities within the digital finance sector.RemotePE is deployed through a multi-stage attack chain involving two loaders, DPAPILoader and RemotePELoader. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API. RemotePELoader then communicates with a command-and-control (C2) server to receive the final stage: RemotePE. This remote access trojan (RAT) is designed to operate entirely in memory, leaving minimal forensic artifacts on the filesystem. The malware employs evasion techniques like Hell's Gate and patches Event Tracing for Windows (ETW) to avoid detection.RemotePE supports various commands, including C2 configuration management, file operations, process manipulation, and self-management. A notable feature is its file deletion method, which overwrites files multiple times before deletion, a technique also seen in related malware. The Lazarus Group appears to reserve this toolset for high-value targets, aiming for long-term, stealthy access for objectives such as data theft or financial heists, consistent with their known modus operandi.Source: The Hacker News
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




