The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.
The attack, observed by NCC Group’s Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee’s system.
“From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,” Yun Zheng Hu and Mick Koomen said. “Afterwards, the actor moved to a stealthier RAT, likely signifying a next stage in the attack.”
The attack chain begins with the threat actor impersonating an existing employee of a trading company on Telegram and using fake websites masquerading as Calendly and Picktime to schedule a meeting with the victim.
Although the exact initial access vector is currently not known, the foothold is leveraged to deploy a loader called PerfhLoader, which then drops PondRAT, a known malware assessed to be a stripped-down variant of POOLRAT (aka SIMPLESEA). The cybersecurity company said there is some evidence to suggest that a then-zero-day exploit in the Chrome browser may have been used in the attack.
Also delivered along with PondRAT are a number of other tools, including a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, and proxy programs like MidProxy and Proxy Mini.
“PondRAT is a straightforward RAT that allows an operator to read and write files, start processes, and run shellcode,” Fox-IT said, adding it dates back to at least 2021. “The actor used PondRAT in combination with ThemeForestRAT for roughly three months, to afterwards clean up and install the more sophisticated RAT called RemotePE.”
The PondRAT malware is designed to communicate over HTTP(S) with a hard-coded command-and-control (C2) server to receive further instructions, with ThemeForestRAT launched directly in memory either via PondRAT or a dedicated loader.
ThemeForestRAT, like PondRAT, monitors for new Remote Desktop (RDP) sessions and contacts a C2 server over HTTP(S) to retrieve as many as twenty commands to enumerate files/directories, perform file operations, execute commands, test TCP connection, timestomp file based on another file on disk, get process listing, download a files, inject shellcode, spawn processes, and hibernate for a specific amount of time.
Fox-IT said ThemeForestRAT shares similarities with a malware codenamed RomeoGolf that was put to use by the Lazarus Group in the November 2014 destructive wiper attack against Sony Pictures Entertainment (SPE). It was documented by Novetta as part of a collaborative effort known as Operation Blockbuster.
RemotePE, on the other hand, is retrieved from a C2 server by RemotePELoader, which, in turn, is loaded by DPAPILoader. Written in C++, RemotePE is a more advanced RAT that’s likely reserved for high-value targets.
“PondRAT is a primitive RAT that provides little flexibility, however, as an initial payload it achieves its purpose,” Fox-IT said. “For more complex tasks, the actor uses ThemeForestRAT, which has more functionality and stays under the radar as it is loaded into memory only.”
