Threat Intelligence

North Korea’s Lazarus Group uses new RemotePE malware against financial targets

As reported by The Hacker News, a sophisticated cross-platform malware known as RemotePE has been identified as the latest tool in the arsenal of the North Korea-linked Lazarus Group, specifically targeting financial and cryptocurrency organizations. This discovery, made by Fox-IT, part of NCC Group, highlights the group's continued efforts to infiltrate and exploit entities within the digital finance sector.

RemotePE is deployed through a multi-stage attack chain involving two loaders, DPAPILoader and RemotePELoader. DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API. RemotePELoader then communicates with a command-and-control (C2) server to receive the final stage: RemotePE. This remote access trojan (RAT) is designed to operate entirely in memory, leaving minimal forensic artifacts on the filesystem. The malware employs evasion techniques like Hell's Gate and patches Event Tracing for Windows (ETW) to avoid detection.

RemotePE supports various commands, including C2 configuration management, file operations, process manipulation, and self-management. A notable feature is its file deletion method, which overwrites files multiple times before deletion, a technique also seen in related malware. The Lazarus Group appears to reserve this toolset for high-value targets, aiming for long-term, stealthy access for objectives such as data theft or financial heists, consistent with their known modus operandi.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds