This report reveals how the Lazarus Group continues to evolve its attack strategies targeting the financial and cryptocurrency sectors using sophisticated remote access tools. Their multi-stage infection process involves social engineering, custom malware, and advanced persistence techniques to maintain long-term control. #LazarusGroup #RemotePE
Keypoints
- The Lazarus Group employs social engineering techniques such as impersonation on Telegram to gain initial access.
- Their attack chain involves three custom RATs: PondRAT, ThemeForestRAT, and RemotePE, each serving different purposes.
- PondRAT acts as a simple loader, while ThemeForestRAT provides stealthy, in-memory command execution, and RemotePE adds advanced security features.
- The threat actors utilize a custom loader called PerfhLoader and exploit the SessionEnv service for persistence, bypassing EDR tools.
- The group deploys credential harvesters, keyloggers, and other tools, maintaining a persistent and adaptable threat to targeted sectors.
Read More: https://securityonline.info/lazarus-subgroup-deploys-three-custom-rats-in-targeted-crypto-attacks/