The North Korea-linked Lazarus Group conducted a sophisticated cyberattack against a decentralized finance (DeFi) organization in 2024, highlighting the growing threat to the financial sector.
The campaign began on Telegram, where the threat actor impersonated an employee of a trading company. Using fake scheduling websites mimicking services like Calendly and Picktime, the attacker contacted a victim to initiate engagement. This social engineering tactic served as the first foothold into the organization’s network.
Once access was established, the attacker deployed PondRAT, a remote access tool (RAT), alongside multiple auxiliary tools, including keyloggers, screenshotters, Chrome credential and cookie stealers, Mimikatz, and proxy programs.
Analysts noted evidence suggesting a zero-day Chrome exploit may have facilitated the initial compromise.
Following initial deployment, the attacker launched ThemeForestRAT, which runs directly in memory. ThemeForestRAT enabled monitoring of Remote Desktop sessions, file and process enumeration, shellcode injection, and command execution while remaining largely undetected.
Fox-IT researchers observed similarities between ThemeForestRAT and malware previously used by Lazarus during the 2014 Sony Pictures destructive attack.
The final stage involved RemotePE, a sophisticated C++ RAT likely reserved for high-value targets. Delivered via RemotePELoader and loaded by DPAPILoader, RemotePE allowed complex operations beyond those achievable by PondRAT or ThemeForestRAT.
Researchers explained that PondRAT provided initial access and basic control, ThemeForestRAT offered mid-stage stealth and functionality, and RemotePE enabled advanced operations for high-value objectives.
This multi-stage campaign underscores Lazarus Group’s evolving tactics, combining social engineering, memory-resident malware, and advanced RATs to compromise critical financial systems in the DeFi sector.
Source: TheHackerNews
About Author
