"The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE. The attack, observed by NCC Group's Fox-IT in 2024, targeted an organization in the decentralized finance (DeFi) sector, ultimately leading to the compromise of an employee's system. "From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,""
"Although the exact initial access vector is currently not known, the foothold is leveraged to deploy a loader called PerfhLoader, which then drops PondRAT, a known malware assessed to be a stripped-down variant of POOLRAT (aka SIMPLESEA). The cybersecurity company said there is some evidence to suggest that a then-zero-day exploit in the Chrome browser was used in the attack."
Lazarus Group targeted a decentralized finance organization through a social engineering campaign that distributed three cross-platform RATs: PondRAT, ThemeForestRAT, and RemotePE. The actor impersonated a trading company employee on Telegram and used fake Calendly and Picktime websites to schedule a meeting and gain initial access. A loader called PerfhLoader deployed PondRAT, accompanied by tools such as a screenshotter, keylogger, Chrome credential and cookie stealer, Mimikatz, FRPC, MidProxy and Proxy Mini. Evidence indicates a possible then-zero-day Chrome exploit. The actor performed internal discovery, harvested credentials, proxied connections, and later installed a stealthier RemotePE RAT.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]