The Lazarus Group deployed a new C++ in-memory RAT called ScoringMathTea in the “Gotta Fly” phase of Operation DreamJob to target defense contractors supplying UAV technology to Ukraine. ScoringMathTea uses chained polyalphabetic string decryption, API hashing, PEB walking, full reflective DLL injection of plugins, and TEA/XTEA-CBC encrypted HTTP/S C2 with spoofed User-Agent to evade detection #ScoringMathTea #LazarusGroup
Keypoints
- ScoringMathTea is a modular, in-memory C++ RAT that initializes from a DLL and resolves all Windows APIs at runtime via a custom hashing routine.
- String obfuscation uses a 64-character substitution alphabet with a chained polyalphabetic cipher that updates a propagating key state to thwart frequency analysis.
- Network C2 uses HTTP/S with spoofed Edge User-Agent, Base64 encoding, TEA/XTEA-CBC encryption, optional compression, and automatic stripping of fake HTML headers returned by the server.
- The malware implements manual PE mapping and a full reflective plugin loader that downloads additional DLLs from C2 and maps them into memory without touching disk.
- PEB walking is used to locate an unhooked kernel32.dll and build a runtime “clean” API table for imports and relocations, bypassing EDR hooks.
- PolySwarm and ESET research have sampled and reported on ScoringMathTea, and multiple SHA-256 hashes of samples are published in the report.
MITRE Techniques
- [T1027 ] Obfuscated Files or Information – The malware uses chained polyalphabetic string decryption and stack strings to hide intent (‘String obfuscation relies on a 64-character substitution alphabet and a propagating key state starting at 11.’).
- [T1055.001 ] DLL Injection – ScoringMathTea performs full reflective DLL injection and reflective loading of follow-on plugins to run code in memory without touching disk (‘full reflective DLL injection of additional plugins’ / ‘manually maps the plugin sections into memory’ ).
- [T1106 ] Native API – The agent resolves Windows APIs at runtime via custom hashing and walks the PEB to obtain unhooked kernel32.dll pointers, building a runtime API table (‘All subsequent Windows API calls are resolved at runtime via a custom hashing routine’ and ‘walks the PEB to locate an unhooked kernel32.dll’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication occurs over HTTP/S with spoofed User-Agent, Base64 encoding, and TEA/XTEA-CBC encryption for command-and-control (‘Communication with C2 occurs over HTTP/S with spoofed User-Agent, Base64 encoding, TEA/XTEA-CBC encryption’).
- [T1105 ] Ingress Tool Transfer – ScoringMathTea downloads additional PE/DLL plugins from C2 and loads them in-memory for additional functionality (‘When instructed, ScoringMathTea downloads an additional PE (DLL) from the C2’ and ‘invokes an exported function named “exportfun” to activate the plugin’).
- [T1041 ] Exfiltration Over C2 Channel – The RAT is used to exfiltrate sensitive UAV technology from targeted defense contractors over its encrypted C2 channel (‘deployed … to exfiltrate sensitive unmanned aerial vehicle (UAV) technology from defense contractors’).
Indicators of Compromise
- [File Hash ] ScoringMathTea sample SHA-256 hashes – c39ecc7d9f1e225a37304345731fffe72cdb95b21aeb06aa6022f6d338777012, 083d4a4ef6267c9a0ab57f1e5a2ed45ff67a0b4db83bbd43563458a223781120, and 4 more hashes.
- [Domain ] Sample repository / reporting – polyswarm.io (PolySwarm portal hosts multiple ScoringMathTea samples and analysis links).
- [Email ] Contact for report or community access – [email protected] (used for contacting PolySwarm regarding samples and access).
Read more: https://blog.polyswarm.io/lazarus-groups-scoringmathtea-rat