Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
Summary
The Lazarus Group, a North Korean state-sponsored hacking collective, is utilizing a cross-platform, memory-only malware known as RemotePE. This malware is deployed through a multi-stage attack chain involving loaders named DPAPILoader and RemotePELoader, and has been observed targeting financial and cryptocurrency firms.
IFF Assessment
The deployment of new malware by a known sophisticated threat actor like the Lazarus Group poses a significant threat to organizations, especially those in the financial and cryptocurrency sectors.
Defender Context
Defenders should be aware of the continued targeting of financial and crypto sectors by sophisticated threat actors like Lazarus. The use of memory-only malware like RemotePE can make detection more challenging as it may not leave persistent artifacts on disk, requiring advanced endpoint detection and response (EDR) capabilities.