Lazarus Group uses memory-only RemotePE RAT on finance firms

Fox-IT, part of NCC Group, reported that the North Korea-linked Lazarus Group deployed a memory-only remote access trojan called RemotePE against financial and cryptocurrency firms. The campaign used Telegram social engineering and targeted at least one decentralized finance organization.

The intrusion began when an attacker posing as a trading company employee contacted a target on Telegram and arranged a meeting using counterfeit Calendly and Picktime pages. A DLL named Iassvc.dll, tracked as DPAPILoader, was delivered to the victim’s device and used the Windows Data Protection API (DPAPI) to decrypt an on-disk payload.

The decrypted payload was RemotePELoader, which beacons to a command-and-control server and retrieves the final RemotePE module. RemotePE is written in C++ and, according to Fox-IT researchers, runs entirely in memory and is never written to disk.

RemotePE supports commands to modify its C2 configuration, change its working directory, register and unload DLLs, perform file operations, list and control processes, pause or exit, and check connectivity. Its file-deletion routine overwrites files with constant bytes seven times before renaming and removing them, a pattern also observed in PondRAT and POOLRAT.

The loaders use multiple evasion techniques. RemotePELoader uses Hell’s Gate to change execution context, patches Event Tracing for Windows (ETW) to interfere with detection tools, and executes the final RAT in memory to avoid creating filesystem artifacts. Fox-IT obtained four RemotePE samples that show development activity from mid-2023 through mid-2024.

The earliest RemotePE sample carries a July 4, 2023 timestamp and the first DPAPILoader artifact dates to November 2023. Fox-IT found that neither RemotePELoader nor RemotePE appeared on VirusTotal before the vendor’s report and that the intrusion also deployed PondRAT and ThemeForestRAT in the compromised environment.

Researchers Yun Zheng Hu and Mick Koomen wrote: “DPAPILoader decrypts and loads RemotePELoader from disk using the Windows Data Protection API (DPAPI). RemotePELoader beacons to a C2 server and waits until it receives the next stage: RemotePE, a RAT executed entirely in memory and never written to disk, leaving no filesystem artifacts.”

Fox-IT recommended that security teams in financial services and cryptocurrency firms increase scrutiny of messages on external platforms, tighten handling of meeting invites and credentials, and monitor for unusual in-memory activity, ETW patches and network beacons to suspicious domains such as aes-secure[.]net.